ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question
Your team is integrating a third-party SaaS analytics component. To align with the cloud shared responsibility model, you must clearly establish who performs vulnerability scanning, penetration testing, and code review. Which contractual artifact best captures and communicates this testing scope to both parties before go-live?
A unilateral non-disclosure agreement signed at project kickoff
The supplier's latest SOC 2 Type II attestation report
The software bill of materials (SBOM) delivered with the product
A responsibility assignment (RACI) matrix included in the contractual agreement
Under a shared responsibility model, it is essential to spell out exactly which party is accountable, consulted, or informed for every security test in the acquisition and deployment lifecycle. A responsibility assignment matrix (commonly called a RACI) that is formally attached to, or embedded in, the master services agreement or statement of work provides that clarity. The matrix assigns roles (Responsible, Accountable, Consulted, Informed) for specific tasks such as code review, vulnerability assessment, and penetration testing, ensuring that neither the supplier nor the acquirer assumes the other will perform critical controls. A SOC 2 report, NDA, or SBOM can support due diligence, confidentiality, or component tracking, but none of them explicitly allocate day-to-day testing responsibilities between the parties.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a RACI matrix and how does it apply to security testing?
Open an interactive chat with Bash
What is the shared responsibility model in cloud computing?
Open an interactive chat with Bash
How does a SOC 2 Type II report differ in purpose from a RACI matrix?
Open an interactive chat with Bash
What is a RACI matrix?
Open an interactive chat with Bash
How does the cloud shared responsibility model work?
Open an interactive chat with Bash
Why is a SOC 2 report insufficient for assigning testing responsibilities?
Open an interactive chat with Bash
ISC2 Certified Secure Software Lifecycle Professional (CSSLP)
Secure Software Supply Chain
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .