Systems Security Certified Practitioner – SSCP – Question0270

A security evaluation report and an accreditation statement are produced in which of the following phases of the system development life cycle?

A.
project initiation and planning phase
B. system design specification phase
C. development & documentation phase
D. acceptance phase

Correct Answer: D

Explanation:

The Answer: “acceptance phase”. Note the question asks about an “evaluation report” -which details how the system evaluated, and an “accreditation statement” which describes the level the system is allowed to operate at. Because those two activities are a part of testing and testing is a part of the acceptance phase, the only answer above that can be correct is “acceptance phase”.
The other answers are not correct because:
The “project initiation and planning phase” is just the idea phase. Nothing has been developed yet to be evaluated, tested, accredited, etc.
The “system design specification phase” is essentially where the initiation and planning phase is fleshed out. For example, in the initiation and planning phase, we might decide we want the system to have authentication. In the design specification phase, we decide that that authentication will be accomplished via username/password. But there is still nothing actually developed at this point to evaluate or accredit.
The “development & documentation phase” is where the system is created and documented. Part of the documentation includes specific evaluation and accreditation criteria. That is the criteria that will be used to evaluate and accredit the system during the “acceptance phase”.
In other words -you cannot evaluate or accredit a system that has not been created yet. Of the four answers listed, only the acceptance phase is dealing with an existing system. The others deal with planning and creating the system, but the actual system isn’t there yet.
Reference: Official ISC2 Guide Page: 558 -559 All in One Third Edition page: 832 -833 (recommended reading)