CISSP · Question #634
A security engineer is designing a Customer Relationship Management (CRM) application for a third- party vendor. In which phase of the System Development Life Cycle (SDLC) will it be MOST beneficial t
The correct answer is B. Initiation. Conducting a data sensitivity assessment during the Initiation phase of the SDLC ensures that security and privacy requirements are identified and built into the system design from the very beginning, rather than retrofitted later.
Question
Options
- ADevelopment / Acquisition
- BInitiation
- CEnumeration
- DOperation / Maintenance
How the community answered
(57 responses)- A9% (5)
- B84% (48)
- C5% (3)
- D2% (1)
Why each option
Conducting a data sensitivity assessment during the Initiation phase of the SDLC ensures that security and privacy requirements are identified and built into the system design from the very beginning, rather than retrofitted later.
The Development/Acquisition phase occurs after requirements are already established, so identifying data sensitivity at this stage means security controls may need to be retrofitted into an existing design, increasing cost and risk.
The Initiation phase is where system requirements, purpose, and scope are first defined. Performing a data sensitivity assessment here allows security engineers to classify data types (e.g., PII, financial records) early, ensuring that appropriate security controls, compliance requirements (such as GDPR or HIPAA), and architectural decisions are incorporated into the design before development begins - making it far more cost-effective and thorough than addressing these concerns later.
Enumeration is not a recognized standard SDLC phase; it is more commonly associated with penetration testing or network reconnaissance, making it an incorrect and inapplicable answer here.
The Operation/Maintenance phase occurs after the system is already deployed and in production, which is the least beneficial time to conduct a data sensitivity assessment since major architectural changes are costly and disruptive.
Concept tested: Data sensitivity assessment timing within SDLC phases
Source: https://csrc.nist.gov/publications/detail/sp/800-64/rev-2/final
Topics
Community Discussion
No community discussion yet for this question.