ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question

During contract negotiations for a cloud-hosted authentication service, your organization insists that the provider stream security logs to your SIEM and apply critical security patches within an agreed period. Which contractual instrument is BEST suited to formalize and enforce these ongoing monitoring and vulnerability-response requirements?

An intellectual-property assignment transferring ownership of custom-developed code
A service-level agreement that specifies log delivery formats, frequency, and remediation timelines
A code-escrow clause ensuring release of source code if the supplier becomes insolvent
A non-disclosure agreement outlining confidentiality and proprietary information handling

Report Issue

Answer Description

A service-level agreement (SLA) is specifically intended to define measurable performance and service requirements that the supplier must meet throughout the life of the contract. Security-related SLAs commonly spell out log-generation formats, transmission frequency to the customer's SIEM, maximum time to notify of incidents, and deadlines for releasing patches or mitigations. A non-disclosure agreement focuses on confidentiality, not operational security obligations. A code-escrow clause only guarantees source-code availability if the vendor fails to support the product, and an intellectual-property assignment governs ownership rights, not day-to-day security monitoring or response expectations. Therefore, the SLA is the most appropriate vehicle for enforcing continuous logging and vulnerability-response commitments.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.