Exam CISSP topic 1 question 345 discussion

B. I googled SAMM combined with all the options and "risk tolerance" is the only one that matched: "assurance goals are commensurate with their business goals and risk tolerance." https://owasp.org/www-pdf-archive/OpenSAMM_How_To_V1-1-Final.pdf

SAMM: The Open Web Application Software Project (OWASP) embeds risk response and mitigation throughout the software development cycle.

Software Assurance Maturity Model (SAMM) enables organizations to implement a flexible software security strategy by providing a framework that can be tailored to their specific risk tolerance, allowing them to prioritize security activities based on their unique needs and measure their progress towards a more secure software development process.

The OWASP Software Assurance Maturity Model (SAMM) helps organizations assess and improve their software security practices, and one of its key focuses is on managing risk treatment. Risk treatment refers to how an organization plans to mitigate, accept, transfer, or avoid risk.

OWASP emphasizes aligning software security practices with an organization's risk tolerance.

OWASP SAMM helps organizations create and adapt their software security strategy based on their risk tolerance, allowing them to measure and adjust their security practices according to the level of risk they are willing to accept. Risk response involves the actions taken to address identified risks, including mitigation, avoidance, acceptance, or transfer. SAMM's framework focuses more broadly on the organization's overall risk tolerance rather than specific responses to individual risks. https://owasp.org/www-project-samm/

Answer is B, Risk tolerance

https://drive.google.com/file/d/1cI3Qzfrly_X89z7StLWI5p_Jfqs0-OZv/view?pli=1 'Based on the magnitude of assets, threats, and risk tolerance, develop a security strategic plan and budget to address business priorities around application security' Pg 24. No mention of the restt.

Changed answer. According to the ISC2 official study guide: risk management strategies Options of risk response or management. Includes acceptance/ tolerance, avoidance, assignment/transfer, reduction/mitigation, and rejecting/ignoring so the answer would be B. Risk tolerance was also in the glossary, but the terms risk treatment and risk exception (while valid terminology outside ISC2 study guide) wasn't list so it appears this question is another 'word game' question.

treatment. Risk treatment involves identifying, assessing, and prioritizing risks and then implementing measures to mitigate, transfer, avoid, or accept those risks based on the organization's risk appetite and objectives. SAMM helps organizations treat risks related to software security by providing guidance on improving their software development practices, enhancing security controls, and implementing security measures throughout the software development lifecycle. By addressing vulnerabilities and weaknesses in software development processes, SAMM helps organizations reduce the likelihood and impact of security incidents and breaches.

SAMM is more aligned with the concept of "risk treatment" rather than "risk response." Risk treatment involves the actions taken to manage, mitigate, or accept identified risks. In the context of SAMM, organizations use the model to assess their current software security practices and then implement improvements and measures to treat or mitigate identified security risks.

Answer B) Risk Tolerance A software security framework must be flexible and allow organizations to tailor their choices based on their risk tolerance and the way in which they build and use software. https://owasp.org/www-pdf-archive/SAMM_Core_V1-5_FINAL.pdf

B. Risk tolerance The Open Web Application Security Project's (OWASP) Software Assurance Maturity Model (SAMM) primarily focuses on measuring organizational impact based on "Risk Tolerance."

B. Risk tolerance The Open Web Application Security Project's (OWASP) Software Assurance Maturity Model (SAMM) allows organizations to implement a flexible software security strategy to measure organizational impact based on risk tolerance. Risk tolerance refers to an organization's willingness to accept a certain level of risk. SAMM helps organizations assess and improve their software security practices while considering their specific risk tolerance and needs.

ChatGPT and I both say Risk Treatment because OWASP SAMM is "an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization."

The risk tolerance of an organization refers to its willingness to accept a certain level of risk. By using the SAMM framework, an organization can evaluate its current risk tolerance and identify areas where improvements can be made. This allows the organization to implement a flexible software security strategy that is aligned with its overall risk management objectives.

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. SAMM helps you: -Evaluate an organization’s existing software security practices -Build a balanced software security assurance program in well-defined iterations -Demonstrate concrete improvements to a security assurance program -Define and measure security-related activities throughout an organization