Exam CISSP topic 1 question 303 discussion

Document Name: TECHNICAL GUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENT Ref URL: https://www.govinfo.gov/content/pkg/GOVPUB-C13-894df23cbad6ad74af7d49c17b081dd1/pdf/GOVPUB-C13-894df23cbad6ad74af7d49c17b081dd1.pdf Ref Page 52 Ref Text: Any requirements to inform parent organizations, law enforcement, and a computer incident response team (CIRT) should be identified in the assessment plan.

The correct answer is B. Security assessment plan. Explanation: The security assessment plan is a document that outlines the scope, objectives, and methodology of a security assessment, including testing activities. It typically includes details about what actions need to be taken in the event of a security incident, such as informing parent organizations, law enforcement, and computer incident response teams. This plan helps to ensure that all parties involved are aware of their responsibilities and that appropriate communication channels are in place. Incorrect answers: A. Security Assessment Report (SAR): The SAR is a document that presents the findings of a security assessment, including identified vulnerabilities and recommendations for mitigation. It does not typically contain information about informing relevant parties during testing.

B. Security assessment plan. The Security Assessment Plan outlines the scope, objectives, methodology, and communication procedures for the security assessment, including incident reporting and notification protocols. It is different from a SAR report which is a report that shows the outcome or results of a security assessment.

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf "Any requirements to inform parent organizations, law enforcement, and a computer incident response team (CIRT) should be identified in the assessment plan"

A security assessment plan outlines the scope, objectives, and procedures for a security assessment. It also typically includes details about communication protocols, including when and how to inform relevant parties such as parent organizations, law enforcement, and computer incident response teams in the event of specific findings or incidents during the assessment. The other options do not typically contain this specific information.

B.The plan should also address the logistical details of the engagement—including the hours of operation for assessors; the clearance or background check level required; a call plan with current contact information, network and security operations centers, and the organization’s main point of contact for the assessment; the physical location where assessment activities will originate; and the equipment and tools that will be used to conduct the assessment. Any requirements to inform parent organizations, law enforcement, and a computer incident response team (CIRT) should be identified in the assessment plan. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf

A. Security Assessment Report (SAR)

Any requirements to inform parent organizations, law enforcement, and a computer incident response team (CIRT) should be identified in the assessment plan.

Security Assessment Report - Provides a disciplined and structured approach for documenting the findings of the assessor and the recommendations for correcting any identified vulnerabilities in the security controls.

It should be SAP