Exam CISSP topic 1 question 223 discussion

Tough one. My initial answer is A but then I worked on SAQ/SIG which is part vendor management. Then found a solid article linking RFP and security which mentions regulations like HIPAA & GDPR.

-Creating and issuing the solicitation or request for proposal (RFP) with a SOW, instructions to potential respondents of RFP and terms and conditions, including conditions for acceptance, prequalification considerations and certifications. -Evaluating supplier proposals submitted in response to the solicitation or RFP. -Finalizing contract negotiation to include changes in terms and conditions and awarding the contract. Software risks should be addressed and mitigated through terms and conditions, certifications, evaluation factors for award and risk mitigation requirements in the SOW.

Security must be included from the beginning. C is a part of A…

oth options A and C are correct. However, if we have to choose the process where security considerations are MUST be considered, it's the Vendor selection process (option C), as it directly pertains to selecting the software provider based on their security capabilities and track record.

Vendor selection criteria can certainly be specified in the RFP. In fact, the RFP process is often used to help organizations identify potential vendors and evaluate their offerings based on a variety of criteria, including security. However, the RFP process is not the process in which security must be considered. While security should be an important consideration during the RFP process, it is not the only or even the most important factor in the decision-making process. The vendor selection process, on the other hand, is specifically focused on evaluating potential vendors based on their security measures, among other criteria. This process typically involves a more detailed evaluation of the vendor's security policies, procedures, and past security incidents, as well as other factors such as cost, functionality, and vendor qualifications. Overall, while vendor selection criteria can certainly be specified in the RFP, it is during the vendor selection process that security must be considered in a more detailed and thorough manner.

The question doesn't define that the software is being created, it could be COTS. In the CISSP Student Guide - "Systems, product and even retailer or wholesaler selection are still decisions that can and should be influenced by security considerations. Exploit the CVE data that is available, both for the products under consideration and for other products made by the same vendor; research the vendors’ reputations for responding to vulnerability reports, their responsiveness in issuing timely security updates, and their use of signed software update packages to distribute those updates. The same due care you would use to keep such a system safely operating once you had installed it can and should be used as due diligence on it before you endorse the decision to buy, lease, or license it for use."

RFP is the best answer

RFI->RFP->Vendor Selection. So, requirement for security must be considered in RFI/RFP

can anyone explain why this is A, it should be C instead.