Exam CISSP topic 1 question 352 discussion

Part II While risk tolerance and risk response are related concepts in risk management, they are not the primary focus of SAMM. Risk tolerance refers to the level of risk that an organization is willing to accept or tolerate, while risk response involves developing strategies to address identified risks in alignment with the organization's risk tolerance and objectives. However, SAMM's focus is more on providing a structured approach to improving software security practices rather than specifically addressing risk tolerance or risk response. so the answer is C: Risk Treatment

The correct answer is B. Explanation: When conducting a third-party risk assessment of a new supplier, the Service Organization Control (SOC) 2, Type 2 report should be reviewed to confirm the operating effectiveness of the security, availability, confidentiality, and privacy trust principles. SOC 2 reports are issued by independent auditors and provide detailed information about a service organization's controls relevant to security, availability, processing integrity, confidentiality, and privacy. A Type 2 report includes an auditor's opinion on the design and operating effectiveness of the controls.

B. The scope is different: SOC 1 reports focus on financial controls, while SOC 2 reports focus more broadly on availability, security, processing integrity, confidentiality and privacy

Operating Effectiveness means SOC 2 Type 2 (SOC 2 Type 1 is a point in time test/document review)

"operating effectiveness" is a key