Which of the following is a strategy of grouping requirements in developing a Security Test and Evaluation (ST&E)?
Correct Answer: B
According to the CISSP Official (ISC)2 Practice Tests3, a strategy of grouping requirements in developing a Security Test and Evaluation (ST&E) is management, operational, and technical. ST&E is the process of verifying and validating the security posture and effectiveness of a system, network, or application, by conducting various tests and evaluations on the security controls and mechanisms that are implemented on them. The requirements for ST&E are the criteria and standards that define the scope, objectives, methods, and deliverables of the ST&E process, as well as the roles and responsibilities of the stakeholders involved. The requirements for ST&E can be grouped into three categories: management, operational, and technical.
Management requirements are the requirements that relate to the planning, coordination, and oversight of the ST&E process, such as the budget, schedule, resources, policies, and procedures. Operational requirements are the requirements that relate to the functionality, performance, and usability of the system, network, or application, as well as the security services and processes that support them, such as availability, reliability, scalability, backup, recovery, and incident response. Technical requirements are the requirements that relate to the design, implementation, and configuration of the system, network, or application, as well as the security controls and mechanisms that protect them, such as encryption, authentication, authorization, auditing, and logging. Tactical, strategic, and financial is not a strategy of grouping requirements in developing a ST&E, although they may be factors that influence the requirements. Tactical, strategic, and financial are terms that describe the level, scope, and purpose of the decisions and actions that are taken by the organization, such as the goals, objectives, plans, and resources. Documentation, observation, and manual is not a strategy of grouping requirements in developing a ST&E, although they may be methods or techniques that are used in the ST&E process. Documentation is the process of creating and maintaining the records and reports of the ST&E process, such as the test plan, test cases, test results, and test analysis. Observation is the process of monitoring and inspecting the system, network, or application, as well as the security controls and mechanisms, during the ST&E process, such as using tools, sensors, or cameras. Manual is the process of performing the ST&E process manually, without using any automated tools or scripts, such as using human testers, checklists, or interviews. Standards, policies, and procedures is not a strategy of grouping requirements in developing a ST&E, although they may be sources or references that are used in the ST&E process. Standards, policies, and procedures are the documents that define the rules, principles, and guidelines for the security of the system, network, or application, as well as the ST&E process, such as the security requirements, best practices, and compliance criteria. References: 3
