ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question

The security (system security) plan is created at the outset of a project to capture the system's overall security requirements, the specific controls selected to meet them, assigned responsibilities, and implementation milestones. It establishes the baseline against which security progress and compliance are measured during development and operations.

• A risk assessment report records identified threats, vulnerabilities, and their potential impact but does not prescribe how controls will be implemented or managed over time.
• An incident response plan focuses on procedures for detecting, responding to, and recovering from security incidents, not on documenting baseline controls and schedules.
• A verification and validation test report summarizes testing results after tests have been executed; it is evidence of control effectiveness, not the planning artifact that defines those controls. Therefore, producing a comprehensive security plan is the appropriate action.