ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question

During sprint-0 planning for a new cloud-based electronic health-record (EHR) product, you need to give executives a single document that clearly shows how business objectives, identified risks, chosen security controls, and the specific HIPAA requirements they satisfy all tie together. Which artifact best delivers this consolidated Governance, Risk, and Compliance (GRC) view?

The agile product backlog containing user stories and acceptance criteria
The most recent network vulnerability scan report for the development environment
A HIPAA Compliance Matrix that cross-references business objectives, risks, security controls, and relevant HIPAA clauses
The disaster-recovery and business-continuity runbook for production systems

Report Issue

Answer Description

A HIPAA Compliance Matrix-sometimes called a risk-control or compliance matrix-presents each business objective alongside the risks that could threaten it, the security controls selected to mitigate those risks, and the exact HIPAA clauses those controls satisfy. By cross-referencing these elements in one table, the matrix provides leadership with a concise, end-to-end view of how governance goals, risk treatments, and regulatory obligations are aligned.

The network vulnerability scan report highlights technical flaws but does not map them to governance objectives or regulations. An agile product backlog prioritizes features through user stories and acceptance criteria, yet it rarely traces items to specific controls or HIPAA clauses unless augmented for that purpose. A disaster-recovery and business-continuity runbook does link high-level governance and risk treatment for availability, but it is primarily an operational playbook and does not enumerate all project risks, controls, and HIPAA requirements across confidentiality, integrity, and privacy. Therefore, the compliance matrix remains the most comprehensive single artifact for an integrated GRC perspective.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.