According to the CISSP All-in-One Exam Guide1, the greatest responsibility of Information Security when evaluating third-party applications is to quantify the risk to the business for product selection. This means that Information Security should assess the potential impact and likelihood of threats and vulnerabilities associated with the applications, and communicate the results to the business stakeholders who are responsible for making the final decision. Information Security should not accept the risk on behalf of the organization, report findings to the business without providing risk analysis, or approve the application that best meets security requirements without considering the business needs and objectives.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit