ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question

During contract negotiations for a cloud-hosted business application, your organization wants to be sure that security testing responsibilities are unambiguous. Which contractual artifact most directly clarifies what security tests the vendor must perform versus those your own team will execute under a shared responsibility model?

The vendor's annual SOC 2 Type II attestation schedule
A non-disclosure agreement covering any penetration-test findings
A RACI matrix that lists every planned security test and assigns responsibility to either the vendor or the customer
A financial penalty clause tied to missed vulnerability remediation SLAs

Report Issue

Answer Description

A responsibility-assignment artifact such as a RACI (Responsible, Accountable, Consulted, Informed) matrix explicitly maps each security testing activity-static code analysis, penetration testing, vulnerability scanning, and so on-to the party that is responsible or accountable. This makes the scope of testing clear for both supplier and acquirer. Merely requesting a SOC 2 report, imposing SLA penalties, or signing an NDA may be useful for assurance, enforcement, or confidentiality, but none of those documents enumerates who performs which tests.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.

What is a RACI matrix, and how does it relate to shared responsibility in security testing?

Open an interactive chat with Bash

What is the difference between a SOC 2 Type II report and a RACI matrix when it comes to defining responsibilities?

Open an interactive chat with Bash

Why is a financial penalty clause (e.g., SLA violations) insufficient for clarifying security responsibilities?

Open an interactive chat with Bash

What is a RACI matrix and how is it used in security testing responsibilities?

Open an interactive chat with Bash

What is SOC 2 Type II attestation, and why is it insufficient to clarify testing responsibilities?

Open an interactive chat with Bash

Why is a financial penalty clause tied to missed SLA vulnerabilities inadequate for assigning testing roles?

Open an interactive chat with Bash

ISC2 Certified Secure Software Lifecycle Professional (CSSLP)

Secure Software Supply Chain

Your Score:

Settings & Objectives

Secure Software Concepts

Secure Software Lifecycle Management

Secure Software Requirements

Secure Software Architecture and Design

Secure Software Implementation

Secure Software Testing

Secure Software Deployment, Operations, Maintenance

Secure Software Supply Chain

Random Mixed

Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.

Rotate by Objective

Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Hide Score

Check or uncheck an objective to set which questions you will receive.

Bash, the Crucial Exams Chat Bot

AI Bot