CISSP · Question #1143
In which of the following system life cycle processes should security requirements be developed?
The correct answer is D. System analysis. Security requirements should be developed during the system analysis phase of the system life cycle, where functional and non-functional requirements-including security controls-are formally identified and documented.
Question
Options
- ARisk management
- BBusiness analysis
- CInformation management
- DSystem analysis
How the community answered
(32 responses)- A3% (1)
- B3% (1)
- C6% (2)
- D88% (28)
Why each option
Security requirements should be developed during the system analysis phase of the system life cycle, where functional and non-functional requirements-including security controls-are formally identified and documented.
Risk management is an ongoing process used to identify, assess, and mitigate risks, but it is not the SDLC phase where security requirements are formally developed and documented.
Business analysis focuses on understanding organizational needs and defining business objectives, not on the technical specification of security requirements for a system.
Information management deals with the governance, storage, and handling of data assets and is not an SDLC phase dedicated to eliciting or developing system security requirements.
System analysis is the phase of the system development life cycle (SDLC) where stakeholder needs are translated into detailed system requirements, including security requirements such as access controls, data protection, and compliance mandates. Identifying security requirements at this stage ensures they are built into the system design from the ground up rather than retrofitted later, following the 'secure by design' principle.
Concept tested: Security requirements development within SDLC phases
Source: https://csrc.nist.gov/publications/detail/sp/800-160/vol-1/final
Topics
Community Discussion
No community discussion yet for this question.