ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
Your company is acquiring a third-party SaaS payroll module to integrate with its existing HR workloads on AWS. As the security practitioner participating in the acquisition phase of the asset management lifecycle, you must ensure the software is properly evaluated before it moves into production. Which approach best satisfies security testing and evaluation requirements while aligning with lifecycle best practices?
Permit your internal red-team to conduct penetration testing against the production SaaS environment after it is in service.
Mandate that the vendor provide a recent SOC 2 Type II report and accept it as sufficient proof of security controls.
Rely on AWS compliance certifications and the shared responsibility model as evidence that the software will be secure when deployed.
Include detailed security requirements in the purchase contract and perform a security acceptance test in a dedicated pre-production environment before final acceptance.
Security testing should be embedded in the acquisition and development phases, not deferred until after deployment. By placing explicit security requirements in the contract and performing a formal security acceptance test in a controlled pre-production environment, the organization verifies that the vendor's product meets policy, compliance, and technical expectations before it is introduced into live operations. Simply accepting a SOC 2 report or relying on the cloud provider's certifications does not validate that the specific implementation meets internal controls, and post-deployment penetration testing alone finds issues too late, when corrective actions are costlier and risk exposure is higher.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a SOC 2 Type II report and why is it not enough for validating security controls?
Open an interactive chat with Bash
What is the shared responsibility model in cloud security and why can’t it fully guarantee SaaS security?
Open an interactive chat with Bash
What is a security acceptance test, and how does it validate SaaS security before deployment?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Security Concepts and Practices
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .