CISSP · Question #9
When in the Software Development Life Cycle (SDLC) MUST software security functional requirements be defined?
The correct answer is D. After the business functional analysis and the data security categorization have been performed. In the SDLC, security functional requirements must be defined after understanding both the business needs and the data classification, ensuring security controls are appropriately scoped before design begins.
Question
Options
- AAfter the system preliminary design has been developed and the data security categorization has
- BAfter the vulnerability analysis has been performed and before the system detailed design begins
- CAfter the system preliminary design has been developed and before the data security
- DAfter the business functional analysis and the data security categorization have been performed
How the community answered
(29 responses)- A3% (1)
- B10% (3)
- C3% (1)
- D83% (24)
Why each option
In the SDLC, security functional requirements must be defined after understanding both the business needs and the data classification, ensuring security controls are appropriately scoped before design begins.
Defining security requirements after the preliminary design has already been developed is too late in the process, as design decisions may have already been made that conflict with or fail to accommodate necessary security controls.
Vulnerability analysis is a later-phase activity that occurs after requirements and design are established; basing security requirements on vulnerability analysis reverses the proper SDLC order and omits the critical business functional analysis input.
Defining security requirements after the preliminary design but before data security categorization is incorrect because the design phase should not begin until both business analysis and data categorization are complete, making this sequence out of order.
Security functional requirements can only be properly defined once the business functional analysis is complete (so the system's purpose and functions are understood) and the data security categorization has been performed (so the sensitivity and protection needs of the data are known). These two inputs together provide the foundation for determining what security controls and requirements are necessary before any system design work begins, following frameworks like NIST SP 800-64.
Concept tested: SDLC security requirements timing and sequencing
Source: https://csrc.nist.gov/publications/detail/sp/800-64/rev-2/final
Topics
Community Discussion
No community discussion yet for this question.