Software Security Effectiveness
Unlock the complete study guide + 1,040 practice questions across 16 full exams.
Bundled into the existing Certified Information Systems Security Professional premium course — no separate purchase.
Included in this chapter:
- What "effectiveness" means: evidence, verification, validation
- Auditing and logging of code and configuration changes
- Software risk analysis, mitigation, and authorization (A&A)
- Software security metrics and effectiveness measures
- Exam-pattern recognition
Assessment vs. Authorization: who does what, and who owns the residual risk
| Activity | What it produces | Who performs it | Decision / risk ownership |
|---|---|---|---|
| Assessment (formerly Certification, the Assess step) | Evidence: control-assessment findings, test/review results, recommendations: the Security Assessment Report (SAR) | An assessor independent of the system's developers/operators | Reports risk; does NOT accept it |
| Authorization (formerly Accreditation, the Authorize step) | An Authorization to Operate (ATO) and a documented residual-risk decision | A senior authorizing official (AO) | Explicitly ACCEPTS the residual risk on behalf of the organization |
| Plan of Action and Milestones (POA&M) | A running ledger of known, unresolved weaknesses with owners, resources, and due dates | System owner, maintained through Authorize and Monitor | Tracks risk being worked down; not an acceptance by itself |
| Continuous monitoring | Ongoing evidence that controls stay effective as code and config change | Operations / security team | Feeds the AO's ongoing authorization decision (reauthorize or revoke) |
Cheat sheet
Unlock with Premium — includes all practice exams and the complete study guide.
References
- NIST glossary: verification Whitepaper
- NIST SP 800-128: Security-Focused Configuration Management Whitepaper
- NIST SP 800-92: Guide to Computer Security Log Management Whitepaper
- NIST SP 800-37 Rev. 2: Risk Management Framework Whitepaper
- NIST SP 800-53A Rev. 5: Assessing Security and Privacy Controls Whitepaper
- NIST glossary: Authorization to Operate (ATO) Whitepaper
- NIST glossary: accreditation Whitepaper
- NIST glossary: Plan of Action and Milestones (POA&M) Whitepaper
- NIST SP 800-218: Secure Software Development Framework (SSDF) Whitepaper
- NIST SP 800-40 Rev. 4: Guide to Enterprise Patch Management Planning Whitepaper
- NVD: CVSS (Vulnerability Metrics) Whitepaper