ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question

While documenting requirements for a new mobile banking app, the architect writes, "All sensitive data stored on the device shall be encrypted using a cryptographic module validated to FIPS 140-2 Level 1." How should this statement be classified within the requirements set?

Functional security requirement, because it dictates what the application must do-encrypt data on the device.
Non-functional security requirement, because it specifies a quality standard for encryption rather than a user-visible function.
Business compliance requirement, because it addresses regulatory expectations for encryption.
Operational deployment requirement, because it affects how the runtime environment on the device is configured.

Report Issue

Answer Description

The statement does not describe a user-visible capability such as entering a PIN or changing a password. Instead, it prescribes how the application must perform encryption by referencing an external standard (FIPS 140-2). That makes it a non-functional security requirement, since it specifies a quality attribute (strength and validation of encryption) the software must possess. Classifying it as functional would be incorrect because it does not outline an interaction or feature from the user's perspective. It is not an operational deployment requirement-the requirement applies to the software itself, not to the runtime environment. Nor is it a broad business compliance requirement; it is a detailed technical specification that supports compliance but belongs in the security requirements section.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.