ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question

During final security testing, you review the administrator installation guide for a new payroll application and notice it never instructs administrators to disable the default Guest accounts that remain enabled after setup. To meet organizational requirements for verifying and validating security documentation, what is the most appropriate next step before release?

Silently remove the Guest accounts in the code but leave the documentation unchanged to avoid delaying the release.
Log a documentation defect and require the guide and installer to be updated to direct administrators to disable the Guest accounts before shipping.
Release on schedule and publish an out-of-band knowledge-base article later that explains how to disable the Guest accounts.
Approve the release because experienced administrators will know to disable unused accounts even without documentation.

Report Issue

Answer Description

Organizational policy requires security documentation to be complete, accurate, and available at release so deployers can configure the product securely. Leaving default Guest accounts active in production represents a serious vulnerability, and failing to document the need to disable them is a critical documentation defect. The correct response is to file a release-blocking defect so the installer and administrator guide are updated to instruct administrators to disable (or remove) the Guest accounts before shipping. Releasing without fixing the guides, relying on administrator intuition, issuing post-release knowledge-base articles, or silently changing code without matching documentation all violate the organization's verification and validation requirements and could leave systems exposed.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.