Accreditation is the authorization by management to implement software or systems in a production environment. This authorization may be either provisional or full.
The following are incorrect answers:
Certification is incorrect. Certification is the process of evaluating the security stance of the
software or system against a selected set of standards or policies. Certification is the technical
evaluation of a product. This may precede accreditation but is not a required precursor.
Acceptance is incorrect. This term is sometimes used as the recognition that a piece of software or
system has met a set of functional or service level criteria (the new payroll system has passed its
acceptance test). Certification is the better tem in this context.
Evaluation is incorrect. Evaluation is certainly a part of the certification process but it is not the
best answer to the question.
Reference(s) used for this question:
The Official Study Guide to the CBK from ISC2, pages 559-560
AIO3, pp. 314 - 317
AIOv4 Security Architecture and Design (pages 369 - 372)
AIOv5 Security Architecture and Design (pages 370 - 372)

The element of software supply chain management that has the greatest security risk to organizations is the use of unsupported libraries. Unsupported libraries are libraries that are no longer maintained, updated, or patched by the original developers or vendors, and that may contain security vulnerabilities or issues that can be exploited by the attackers. The use of unsupported libraries can pose a security risk to organizations, as it can compromise the security, functionality, and performance of the software that depends on them, and expose the software to potential attacks, such as code injection, denial-of-service, or data breach. The use of unsupported libraries can also violate the security policies and standards, and the regulatory and contractual obligations of the organizations, and result in legal, financial, or reputational consequences12. References: CISSP CBK, Fifth Edition, Chapter 3, page 239; CISSP Practice Exam - FREE 20 Questions and Answers, Question 15.

Explanation/Reference:
Explanation:
Job rotations reduce the risk of collusion of activities between individuals. Companies with individuals working with sensitive information or systems where there might be the opportunity for personal gain through collusion can benefit by integrating job rotation with segregation of duties. Rotating the position may uncover activities that the individual is performing outside of the normal operating procedures, highlighting errors or fraudulent behavior.
Rotation of duties is a method of reducing the risk associated with a subject performing a (sensitive) task by limiting the amount of time the subject is assigned to perform the task before being moved to a different task.
Separation of duties is a basic control that prevents or detects errors and irregularities by assigning responsibility for different parts of critical tasks to separate individuals, thus limiting the effect a single person can have on a system. One individual should not have the capability to execute all of the steps of a particular process. This is especially important in critical business areas, where individuals may have greater access and capability to modify, delete, or add data to the system. Failure to separate duties could result in individuals embezzling money from the company without the involvement of others.
Incorrect Answers:
A: Key escrow is related to the protection of keys in storage by splitting the key in pieces that will be controlled by different departments. Key escrow is the process of ensuring a third party maintains a copy of a private key or key needed to decrypt information. Key escrow also should be considered mandatory for most organization's use of cryptography as encrypted information belongs to the organization and not the individual; however often an individual's key is used to encrypt the information. Key escrow will not interrupt the opportunity to use or perform collusion to subvert operation for fraudulent purposes.
C: The need-to-know principle specifies that a person must not only be cleared to access classified or other sensitive information, but have requirement for such information to carry out assigned job duties.
Ordinary or limited user accounts are what most users are assigned. They should be restricted only to those privileges that are strictly required, following the principle of least privilege. Access should be limited to specific objects following the principle of need-to-know. The principle of need-to-know will not interrupt the opportunity to use or perform collusion to subvert operation for fraudulent purposes.
D: The principle of least privilege requires that each subject in a system be granted the most restrictive set of privileges (or lowest clearance) needed for the performance of authorized tasks. Least privilege refers to granting users only the accesses that are required to perform their job functions. Some employees will require greater access than others based upon their job functions. For example, an individual performing data entry on a mainframe system may have no need for Internet access or the ability to run reports regarding the information that they are entering into the system. Conversely, a supervisor may have the need to run reports, but should not be provided the capability to change information in the database. The principle of least privilege will not interrupt the opportunity to use or perform collusion to subvert operation for fraudulent purposes.

Section: Software Development Security