Exam CISSP topic 1 question 460 discussion

Agree with D, it's the only one during the development phase

Answer: A. Educate and train key stakeholders Educate and train key stakeholders. https://www.cisa.gov/sites/default/files/publications/CRR_Resource_Guide-VM_0.pdf steps in the implementation of the vulnerability management plan: • Provide training. • Conduct vulnerability assessment activities. • Record discovered vulnerabilities. • Categorize and prioritize vulnerabilities. • Manage exposure to discovered vulnerabilities. • Determine effectiveness of vulnerability dispositions. • Analyze root causes Steps in the assessment and improvement of vulnerability management: • Determine the state of the program. • Collect and analyze program information. • Improve the capability.

Answer A) Educate and train key stakeholders This seems wrong because you would think all end users would need to get trained and not just key stakeholders....but literally none of the other answers available fall into the deployment stage, except for A. https://www.cisa.gov/sites/default/files/publications/CRR_Resource_Guide-VM_0.pdf

D. Select and procure supporting technologies. During the deployment phase, the organization selects and acquires the necessary technologies, tools, and resources that will be used to identify, assess, and remediate vulnerabilities in its IT environment. This includes the acquisition of vulnerability scanning tools, patch management solutions, and other security technologies required for the program.

I think it's option D. I consider the other options as follows: Option C is before the implementation phase. Options A and B are after the implementation phase

D) Selecting and procuring supporting technologies is a task that occurs during the deployment phase of establishing a vulnerability management program. The deployment phase involves getting the necessary tools, technologies and resources in place to operate the vulnerability management program. This includes selecting and procuring solutions like vulnerability scanners, patch management systems, threat intelligence feeds, and any other supporting platforms. The other options relate to different phases: A) Training stakeholders occurs in the planning phase. B) Measuring effectiveness of goals aligns with the maturity phase. C) Budgeting and cost analysis takes place in the concept phase

Conduct vulnerability assessments and penetration tests.   Vulnerability assessments use automated tools to search for known vulnerabilities in systems, applications, and networks. These flaws may include missing patches, misconfigurations, or faulty code that expose the organization to security risks. From: CISSP® Certified Information Systems Security Professional Official Study Guide Ninth Edition

I'd go with B. As per cbk 2015, page 187: The vulnerability management program must then verify that the patch was, in fact, implemented as expected. Although this may seem inherent to the objective, it cannot be assumed. In the case of manual deployment, users and system owners may not respond accordingly or in a timely fashion. Even if timely deployment is executed, the patch may have failed. This is somewhat compensated for in automated deployment; nevertheless, both scenarios require validation of an effective installation.

D is correct