The information security staff’s participation in which of the following system development life cycle phases
provides maximum benefit to the organization?
A.
project initiation and planning phase
B.
system design specifications phase
C.
development and documentation phase
D.
in parallel with every phase throughout the project
Explanation:
A system has a developmental life cycle, which is made up of the following phases: initiation, acquisition/
development, implementation, operation/maintenance, and disposal. Collectively these are referred to as a
system development life cycle (SDLC).
Security is critical in each phase of the life cycle.
In the initiation phase the company establishes the need for a specific system. The company has figured out
that there is a problem that can be solved or a function that can be carried out through some type of
technology. A preliminary risk assessment should be carried out to develop an initial description of the
confidentiality, integrity, and availability requirements of the system.
The Acquisition/Development phase should include security analysis such as Security functional requirements
analysis and Security assurance requirements analysis
In the Implementation phase, it may be necessary to carry out certification and accreditation (C&A) processes
before a system can be formally installed within the production environment. Certification is the technical testing
of a system.
In the Operation and Maintenance phase, continuous monitoring needs to take place to ensure that security
baselines are always met. Vulnerability assessments and penetration testing should also take place in this
phase. These types of periodic testing allow for new vulnerabilities to be identified and remediated.
Disposal phase: When a system no longer provides a needed function, plans for how the system and its data
will make a transition should be developed. Data may need to be moved to a different system, archived,
discarded, or destroyed. If proper steps are not taken during the disposal phase, unauthorized access to
sensitive assets can take place.
Incorrect Answers:
A: Security staff should participate in all phases of the system development life cycle, not just the project
initiation and planning phases.
B: Security staff should participate in all phases of the system development life cycle, not just the development
phase. Documentation is not one of the phases in the system development life cycle.
C: System design specifications would happen in the development phase. ‘System design specifications’ is not
a recognized phase in itself. Security staff should participate in all phases of the system development life cycle,
not just the development phase.References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, pp. 1087-1093