The Chief Information Security Officer (CISO) of a small bank wants to embed a monthly testing
regiment into the security management plan specifically for the development area. The CISO’s
requirements are that testing must have a low risk of impacting system stability, can be scripted,
and is very thorough. The development team claims that this will lead to a higher degree of test
script maintenance and that it would be preferable if the testing was outsourced to a third party.
The CISO still maintains that third-party testing would not be as thorough as the third party lacks
the introspection of the development team. Which of the following will satisfy the CISO
requirements?

A.
Grey box testing performed by a major external consulting firm who have signed a NDA.

B.
Black box testing performed by a major external consulting firm who have signed a NDA.

C.
White box testing performed by the development and security assurance teams.

D.
Grey box testing performed by the development and security assurance teams.