CSSLP DC > CSSLP Domain 2 – Secure Software Requirements > Flashcards

CSSLP Domain 2 – Secure Software Requirements Flashcards

(97 cards)

Study These Flashcards
1
Q
  1. What are the two main types of software requirements?
A

Functional requirements (what the system must do) and Non-functional requirements (how the system performs).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q
  1. What is the purpose of defining security requirements early in the SDLC?
A

To ensure security is designed into the system rather than added later, reducing rework and vulnerabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q
  1. What is the difference between compliance and conformance?
A

Compliance refers to meeting external legal or regulatory requirements; conformance relates to internal policies and standards.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q
  1. What are examples of external compliance requirements in software development?
A

Laws and regulations such as GDPR, HIPAA, PCI DSS, SOX, and FISMA.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q
  1. What does FISMA require of U.S. federal agencies?
A

Implementation of an organization-wide information security program, including risk categorization and control assessment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q
  1. What does SOX (Sarbanes-Oxley Act) ensure in the context of software systems?
A

Integrity and control over financial data within accounting and reporting systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q
  1. What are the three rules under the Gramm-Leach-Bliley Act (GLBA)?
A

Financial Privacy Rule, Safeguards Rule, and Pretexting Protection Rule.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q
  1. What is the primary goal of HIPAA and HITECH?
A

To protect personal health information (PHI) and enhance privacy of electronic health records.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q
  1. What is the main objective of the PCI DSS standard?
A

To protect cardholder data and ensure secure payment processing across merchants and service providers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q
  1. Define PII and PHI.
A

PII (Personally Identifiable Information) identifies an individual; PHI (Protected Health Information) relates to medical data linked to an individual.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q
  1. What is a Misuse Case?
A

A scenario describing how a system can be intentionally or unintentionally used in a way that causes harm or violates policy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q
  1. How are Misuse Cases different from Use Cases?
A

Use cases describe expected behavior; misuse cases describe undesired or malicious behavior.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q
  1. What is the role of a Security Requirements Traceability Matrix (SRTM)?
A

To link each security requirement to its implementation and test cases, ensuring coverage and verification.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q
  1. What is the importance of Data Classification?
A

It determines how data should be handled, stored, and protected based on its sensitivity and impact if compromised.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q
  1. What are typical data classification categories?
A

Public, Internal, Confidential, and Restricted (or variations depending on the organization).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q
  1. What are the key elements of a data lifecycle?
A

Creation, Storage, Use, Sharing, Archival, and Destruction/Disposition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q
  1. What is the ‘Right to be Forgotten’?
A

A privacy principle under GDPR allowing individuals to request deletion of their personal data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q
  1. What are privacy-by-design principles?
A

Embedding privacy considerations (minimization, consent, transparency) into system design from the start.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q
  1. What is the primary purpose of conducting a Privacy Impact Assessment (PIA)?
A

To evaluate and document privacy risks associated with a system or project before deployment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q
  1. What is the difference between data anonymization and pseudonymization?
A

Anonymization removes identifiers irreversibly; pseudonymization replaces them with reversible tokens or keys.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q
  1. What are the three data processing conditions under GDPR?
A

Transparency (informed consent), Legitimate purpose (data use tied to a lawful purpose), and Proportionality (data use limited to what’s needed).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q
  1. What is the relationship between threat modeling and requirements?
A

Threat modeling identifies potential risks that translate into security requirements and countermeasures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q
  1. How can developers ensure third-party suppliers meet security requirements?
A

Include explicit security clauses and right-to-audit provisions in contracts and perform supplier assessments.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q
  1. What are non-functional security requirements examples?
A

Availability targets, encryption strength, authentication response times, and audit log retention.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
25. What should be considered when defining retention policies for data?
Business need, legal hold requirements, privacy obligations, and secure disposal procedures.
26
Question
Model Answer
27
Explain why early identification of security requirements is crucial. (Domain 2)
Early identification reduces rework, ensures alignment with business goals, and prevents security gaps later in the SDLC.
28
Describe the role of misuse and abuse cases in defining requirements. (Domain 2)
They help identify potential security threats and ensure controls are designed to prevent or detect them.
29
Define traceability in the context of security requirements. (Domain 2)
Traceability ensures each requirement can be mapped to design, implementation, and testing for full coverage.
30
Explain how stakeholder input influences security requirements. (Domain 2)
Stakeholders clarify risk tolerance, regulatory obligations, and operational constraints influencing security controls.
31
Describe how regulatory obligations impact security requirements. (Domain 2)
Regulations impose minimum control expectations that must be translated into software behaviors and safeguards.
32
Explain the concept of requirement validation. (Domain 2)
Validation ensures requirements accurately reflect stakeholder needs and intended system functionality.
33
Define the term 'derived security requirement.' (Domain 2)
A requirement inferred from a higher-level objective or constraint, ensuring detailed implementation of controls.
34
Describe how risk assessment drives requirement prioritization. (Domain 2)
Higher-risk areas receive more stringent or earlier security requirements to reduce exposure.
35
Explain the difference between requirement verification and validation. (Domain 2)
Verification checks correctness and completeness; validation ensures alignment with stakeholder intent.
36
Describe the purpose of security requirement workshops. (Domain 2)
Workshops bring together cross-functional experts to elicit, refine, and approve security needs collaboratively.
37
Explain how requirement ambiguity can lead to vulnerabilities. (Domain 2)
Unclear or conflicting requirements can lead to inconsistent implementation and exploitable weaknesses.
38
Define a non-functional security requirement and provide an example. (Domain 2)
A performance-related control, e.g., 'The system must log all failed authentication attempts within one second.'
39
Describe the purpose of requirements baselining. (Domain 2)
It establishes an approved version of requirements for controlled change and consistency.
40
Explain the role of threat modeling in refining requirements. (Domain 2)
Threat modeling exposes risks that can be mitigated through additional or stronger security requirements.
41
Define what is meant by 'testable requirement.' (Domain 2)
A requirement that can be objectively verified through inspection, demonstration, or testing.
42
Describe the relationship between functional and security requirements. (Domain 2)
Functional requirements define intended behavior; security requirements ensure that behavior is protected and constrained.
43
Explain how to manage conflicting security and usability requirements. (Domain 2)
Balance both by using risk-based trade-offs and user-centered security design principles.
44
Define acceptance criteria for security requirements. (Domain 2)
Measurable conditions that confirm when a requirement has been successfully implemented and verified.
45
Explain why version control of requirements is necessary. (Domain 2)
It ensures traceability, prevents miscommunication, and enables rollback to earlier baselines when needed.
46
Describe how to ensure third-party compliance within security requirements. (Domain 2)
Include contractual clauses, SLAs, and audits aligned with organizational security expectations.
47
Explain the value of prototyping in refining security requirements. (Domain 2)
Prototyping reveals design flaws early and allows stakeholders to validate usability and security expectations.
48
Define 'requirement coverage' and why it matters. (Domain 2)
It ensures that all identified risks and objectives have corresponding requirements and controls.
49
Describe the impact of agile methodologies on managing security requirements. (Domain 2)
Agile integrates security into user stories, acceptance criteria, and sprint reviews for continuous assurance.
50
Explain how reusability of security requirements improves efficiency. (Domain 2)
Reusable requirements and templates streamline future projects and ensure consistency across systems.
51
Define the concept of 'security requirement debt.' (Domain 2)
It represents postponed or incomplete security requirements that increase risk until addressed.
52
Question
Model Answer
53
Explain the importance of integrating security requirements into the SDLC. (Domain 2)
Integrating security early ensures that risks are identified and addressed before costly design or implementation changes are required.
54
Describe the relationship between business requirements and security requirements. (Domain 2)
Security requirements must support business objectives by protecting critical assets while enabling functionality.
55
Define functional and non-functional security requirements. (Domain 2)
Functional requirements define specific security features; non-functional requirements specify qualities like performance, reliability, and confidentiality.
56
Explain how system misuse can help define security requirements. (Domain 2)
Analyzing potential misuse scenarios helps identify needed preventive, detective, and corrective controls.
57
Describe how regulatory requirements influence security requirements. (Domain 2)
Regulations define minimum controls that must be incorporated into system specifications to ensure compliance.
58
Define requirements elicitation and its relevance to security. (Domain 2)
Elicitation gathers stakeholder input, threat intelligence, and regulatory needs to define security expectations clearly.
59
Explain how stakeholder engagement impacts security requirement completeness. (Domain 2)
Early collaboration ensures all perspectives—business, technical, and compliance—are reflected in requirements.
60
Describe the role of workshops in refining security requirements. (Domain 2)
Workshops provide structured collaboration to clarify ambiguous requirements and prioritize risks.
61
Explain how conflicting requirements are managed. (Domain 2)
Conflicts are resolved by assessing business priorities, risks, and technical feasibility through stakeholder consensus.
62
Define traceability and explain why it is important for requirements management. (Domain 2)
Traceability ensures that each requirement can be linked to design, implementation, and testing artifacts for completeness and accountability.
63
Identify characteristics of a well-written security requirement. (Domain 2)
It should be clear, measurable, feasible, consistent, and testable.
64
Explain the difference between requirement validation and verification. (Domain 2)
Validation ensures requirements meet stakeholder intent; verification ensures they are implemented correctly.
65
Describe how ambiguity in requirements can introduce vulnerabilities. (Domain 2)
Unclear wording may lead to inconsistent implementation and exploitable weaknesses.
66
Define the term 'testable requirement.' (Domain 2)
A requirement that can be objectively measured or confirmed through inspection or testing.
67
Explain how acceptance criteria ensure requirement quality. (Domain 2)
Acceptance criteria define measurable outcomes that confirm a requirement is satisfied.
68
Describe how threat modeling contributes to requirements definition. (Domain 2)
It identifies attack vectors and system weaknesses that must be mitigated through specific requirements.
69
Explain the relationship between risk assessment and security requirements. (Domain 2)
Risk assessment determines which controls are necessary and how they should be prioritized.
70
Define risk tolerance and its role in security requirements. (Domain 2)
Risk tolerance defines acceptable levels of risk, guiding the strictness of security controls.
71
Explain why continuous risk assessment is important. (Domain 2)
New threats and system changes require ongoing evaluation of whether requirements remain adequate.
72
Describe how mitigation strategies affect requirement scope. (Domain 2)
Each risk treatment—accept, avoid, transfer, mitigate—defines or modifies related security requirements.
73
Explain how data classification impacts security requirements. (Domain 2)
Data classification determines protection levels such as encryption, access control, and retention.
74
Describe privacy requirements related to personal data. (Domain 2)
Requirements should enforce consent management, purpose limitation, and data minimization principles.
75
Define data retention requirements. (Domain 2)
They specify how long data is stored, the conditions for deletion, and methods for secure disposal.
76
Explain how anonymization and pseudonymization affect requirements. (Domain 2)
They require secure methods to de-identify or protect personal information without losing utility.
77
Describe how access control requirements support privacy. (Domain 2)
Access controls ensure only authorized users can view or modify sensitive data, protecting confidentiality.
78
Define requirements baselining. (Domain 2)
Baselining establishes an approved set of requirements against which changes are managed.
79
Explain the purpose of change control for requirements. (Domain 2)
It ensures modifications are reviewed and approved to maintain consistency and traceability.
80
Describe the importance of version control for requirements documentation. (Domain 2)
Version control maintains history, supports audits, and prevents loss of earlier approved content.
81
Explain why maintaining requirement history supports audits. (Domain 2)
It provides evidence that decisions were made methodically and in alignment with security policy.
82
Define requirement reuse and its advantages. (Domain 2)
Reusable requirements promote consistency, efficiency, and reliability across projects.
83
Describe how Agile development affects security requirements management. (Domain 2)
Security requirements must be incorporated into user stories, acceptance criteria, and sprint reviews for ongoing assurance.
84
Explain the role of security champions in Agile teams. (Domain 2)
They advocate security practices and ensure that user stories include appropriate security acceptance criteria.
85
Describe how backlog refinement supports security requirements. (Domain 2)
It ensures that security tasks are visible, prioritized, and scoped appropriately for upcoming sprints.
86
Explain how 'definition of done' supports secure delivery. (Domain 2)
Including security checks in the definition of done ensures vulnerabilities are addressed before release.
87
Describe continuous feedback loops for security requirements. (Domain 2)
Feedback from testing, incidents, and reviews updates and strengthens future requirements.
88
Explain the concept of requirements verification in security testing. (Domain 2)
Verification confirms that each requirement is implemented as specified and functions securely.
89
Describe the role of audits in validating requirements compliance. (Domain 2)
Audits verify that requirements are met and provide independent assurance of compliance.
90
Explain how automated tools support requirements traceability. (Domain 2)
Tools link requirements to design and testing artifacts, simplifying validation and change tracking.
91
Define the term 'security control objective' and how it relates to requirements. (Domain 2)
A control objective outlines the intent behind a control, guiding the formulation of detailed security requirements.
92
Describe the benefit of maintaining a requirements repository. (Domain 2)
A repository enables reuse, version control, and quick access to approved security requirement templates.
93
Explain how lessons learned from incidents influence new requirements. (Domain 2)
Post-incident analysis often reveals gaps or weaknesses that must be formalized as updated requirements.
94
Describe how metrics can be used to evaluate requirement effectiveness. (Domain 2)
Metrics like defect density and time-to-fix measure how well requirements mitigate real risks.
95
Explain why continuous improvement is essential for requirements engineering. (Domain 2)
As threats and technologies evolve, security requirements must adapt to maintain relevance and effectiveness.
96
Describe how requirements maturity models support continuous improvement. (Domain 2)
They provide a structured path for improving how requirements are developed, maintained, and verified.
97
Define the concept of measurable security outcomes in requirements. (Domain 2)
Outcomes specify what successful protection looks like, ensuring focus on results rather than only activities.
CSSLP DC
flashcards
Decks in class (13)
# Cards
Brainscape helps you reach your goals faster, through stronger study habits.
© 2026 Bold Learning Solutions. Terms and Conditions