ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question

During contract negotiations for integrating a third-party cryptographic library into a safety-critical medical device, your organization wants the option to perform on-site inspections of the supplier's secure build environment if a vulnerability is suspected. Which contractual provision most directly supports this requirement?

Require a software escrow agreement to deposit the library's source code with a neutral third party.
Negotiate a service-level agreement specifying vulnerability remediation timeframes.
Add an indemnification clause making the supplier financially liable for security defects.
Include a clause granting your organization a right to audit the supplier's processes and facilities.

Report Issue

Answer Description

A right-to-audit clause explicitly grants the purchaser authority to review and inspect the supplier's facilities, processes, and records on demand or on a defined schedule. This capability is essential for verifying the pedigree and provenance of software components and ensuring that secure development controls are actually in place.

An indemnification clause focuses on financial liability after problems occur and does not grant inspection rights.
A service-level agreement sets performance and response metrics but likewise offers no inspection authority.
A software escrow agreement protects access to source code if the vendor defaults but does not authorize audits of the build environment.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.