nerdexam
(ISC)2

CISSP · Question #634

A security engineer is designing a Customer Relationship Management (CRM) application for a third- party vendor. In which phase of the System Development Life Cycle (SDLC) will it be MOST beneficial t

The correct answer is B. Initiation. Conducting a data sensitivity assessment during the Initiation phase of the SDLC ensures that security and privacy requirements are identified and built into the system design from the very beginning, rather than retrofitted later.

Submitted by chiamaka_o· Mar 5, 2026Software Development Security

Question

A security engineer is designing a Customer Relationship Management (CRM) application for a third- party vendor. In which phase of the System Development Life Cycle (SDLC) will it be MOST beneficial to conduct a data sensitivity assessment?

Options

  • ADevelopment / Acquisition
  • BInitiation
  • CEnumeration
  • DOperation / Maintenance

How the community answered

(57 responses)
  • A
    9% (5)
  • B
    84% (48)
  • C
    5% (3)
  • D
    2% (1)

Why each option

Conducting a data sensitivity assessment during the Initiation phase of the SDLC ensures that security and privacy requirements are identified and built into the system design from the very beginning, rather than retrofitted later.

ADevelopment / Acquisition

The Development/Acquisition phase occurs after requirements are already established, so identifying data sensitivity at this stage means security controls may need to be retrofitted into an existing design, increasing cost and risk.

BInitiationCorrect

The Initiation phase is where system requirements, purpose, and scope are first defined. Performing a data sensitivity assessment here allows security engineers to classify data types (e.g., PII, financial records) early, ensuring that appropriate security controls, compliance requirements (such as GDPR or HIPAA), and architectural decisions are incorporated into the design before development begins - making it far more cost-effective and thorough than addressing these concerns later.

CEnumeration

Enumeration is not a recognized standard SDLC phase; it is more commonly associated with penetration testing or network reconnaissance, making it an incorrect and inapplicable answer here.

DOperation / Maintenance

The Operation/Maintenance phase occurs after the system is already deployed and in production, which is the least beneficial time to conduct a data sensitivity assessment since major architectural changes are costly and disruptive.

Concept tested: Data sensitivity assessment timing within SDLC phases

Source: https://csrc.nist.gov/publications/detail/sp/800-64/rev-2/final

Topics

#SDLC security#Data sensitivity#Requirements gathering#Security by design

Community Discussion

No community discussion yet for this question.

Full CISSP Practice