Which of the following is the act of performing tests and evaluations to test a system's security level to see if it complies with the design specifications and security requirements?
Click on the arrows to vote for the correct answer
A. B. C. D.B.
Verification vs.
Validation: Verification determines if the product accurately represents and meets the specifications.
A product can be developed that does not match the original specifications.
This step ensures that the specifications are properly met.
Validation determines if the product provides the necessary solution intended real-world problem.
In large projects, it is easy to lose sight of overall goal.
This exercise ensures that the main goal of the project is met.
From DITSCAP: 6.3.2
Phase 2, Verification.
The Verification phase shall include activities to verify compliance of the system with previously agreed security requirements.
For each life-cycle development activity, DoD Directive 5000.1 (reference (i)), there is a corresponding set of security activities, enclosure 3, that shall verify compliance with the security requirements and evaluate vulnerabilities.
6.3.3
Phase 3, Validation.
The Validation phase shall include activities to evaluate the fully integrated system to validate system operation in a specified computing environment with an acceptable level of residual risk.
Validation shall culminate in an approval to operate.
You must also be familiar with Verification and Validation for the purpose of the exam.A simple definition for Verification would be whether or not the developers followed the design specifications along with the security requirements.A simple definition for Validation would be whether or not the final product meets the end user needs and can be use for a specific purpose.
Wikipedia has an informal description that is currently written as:Validation can be expressed by the query "Are you building the right thing?" and Verification by "Are you building it right? NOTE: DITSCAP was replaced by DIACAP some time ago (2007).While DITSCAP had defined both a verification and a validation phase, the DIACAP only has a validation phase.It may not make a difference in the answer for the exam; however, DIACAP is the cornerstone policy of DOD C&A and IA efforts today.Be familiar with both terms just in case all of a sudden the exam becomes updated with the new term.
Reference(s) used for this question: Harris, Shon (2012-10-18)
CISSP All-in-One Exam Guide, 6th Edition (p.
1106)
McGraw-Hill.
Kindle Edition.
http://iase.disa.mil/ditscap/DITSCAP.html https://en.wikipedia.org/wiki/Verification_and_validationThe correct answer is C. Assessment.
Security assessment is the act of performing tests and evaluations to assess the security of a system. The goal of security assessment is to identify vulnerabilities in the system and to determine whether the system complies with security requirements and design specifications.
Validation and verification are related terms, but they are not the same as assessment. Validation is the process of checking whether a system or component meets the customer's needs and requirements. Verification, on the other hand, is the process of checking whether a system or component meets its design and development specifications.
Accuracy is also not the correct answer. Accuracy refers to the degree to which a measurement, calculation, or prediction correctly reflects the true value or outcome.
In summary, security assessment involves testing and evaluating a system's security to determine its compliance with design specifications and security requirements.