Credit for this goes to Adam Gordon on LinkedIn. I just saw this question and literally thought that this is going to be what most of my CISSP test will be like and how clueless I really felt for a moment. SDLC is probably my weakest area.
You are the on-staff CISSP for APISEC Corp., and have been asked by the DevSecOps team lead to help her write up a short overview of the issues associated with Unrestricted Access to Sensitive Business Flows & API security. As part of the overview, she wants to ensure that she has correctly identified the two layers where mitigation planning should be done.
What are the correct two layers?
a. Management & Development
b. User Access & Data classification
c. Business & Engineering
d. Third Party Risk Management (TPRM) & Privileged Access Management (PAM)
e. Identity Access Management (IAM) & Service Level Agreements (SLAs)
f. Group management & Data categorization
g. Cloud Access Security Broker (CASB) & Data Security Posture Management (DSPM)
Answer: _____