{"id":368,"date":"2021-01-17T05:32:15","date_gmt":"2021-01-16T17:58:38","guid":{"rendered":"https:\/\/exampracticetests.com\/ISC\/SSCP\/systems-security-certified-practitioner-sscp-question0360\/"},"modified":"2021-01-17T05:44:10","modified_gmt":"2021-01-17T05:44:10","slug":"systems-security-certified-practitioner-sscp-question0360","status":"publish","type":"post","link":"https:\/\/exampracticetests.com\/ISC\/SSCP\/systems-security-certified-practitioner-sscp-question0360\/","title":{"rendered":"Systems Security Certified Practitioner &#8211; SSCP &#8211; Question0360"},"content":{"rendered":"<div class=\"question\">During which phase of an IT system life cycle are security requirements developed? <br \/><strong><br \/>A.<\/strong> Operation <br \/><strong>B.<\/strong> Initiation <br \/><strong>C.<\/strong> Functional design analysis and Planning <br \/><strong>D.<\/strong> Implementation<\/div>\n<p><\/p>\n<style> .hidden-div{ display:none } <\/style>\n<p>\t\t\t\t\t\t\t<button onclick=\"getElementById('hidden-div').style.display = 'block'\"> Show Answer <\/button> <button onclick=\"getElementById('hidden-div').style.display = 'none'\">Hide Answer<\/button><\/p>\n<div class=\"hidden-div\" id=\"hidden-div\"><span style=\"\"><\/p>\n<div class=\"answer\">Correct Answer: <strong>C<\/strong><\/div>\n<p><strong>Explanation:<\/strong> <\/p>\n<div class=\"explanation\">\nThe software development life cycle (SDLC) (sometimes referred to as the System Development Life Cycle) is the process of creating or altering software systems, and the models and methodologies that people use to develop these systems.<br \/>\nThe NIST SP 800-64 revision 2 has within the description section of para 3.2.1:<br \/>\nThis section addresses security considerations unique to the second SDLC phase. Key security activities for this phase include:<br \/>\n\u2022 Conduct the risk assessment and use the results to supplement the baseline security controls;<br \/>\n\u2022 Analyze security requirements;<br \/>\n\u2022 Perform functional and security testing;<br \/>\n\u2022 Prepare initial documents for system certification and accreditation; and<br \/>\n\u2022 Design security architecture.<br \/>\nReviewing this publication you may want to pick development\/acquisition. Although initiation would be a decent choice, it is correct to say during this phase you would only brainstorm the idea of security requirements. Once you start to develop and acquire hardware\/software components then you would also develop the security controls for these. The Shon Harris reference below is correct as well.<br \/>\nShon Harris&#8217; Book (All-in-One CISSP Certification Exam Guide) divides the SDLC differently:<br \/>\nProject initiation Functional design analysis and planning System design specifications Software development Installation Maintenance support Revision and replacement<br \/>\nAccording to the author (Shon Harris), security requirements should be developed during the functional design analysis and planning phase. SDLC POSITIONING FROM NIST 800-64<br \/>\n<img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full\" src=\"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-content\/uploads\/exam\/__Page_179_Image_0001.jpg\" \/><br \/>\nSDLC Positioning in the enterprise Information system security processes and activities provide valuable input into managing IT systems and their development, enabling risk identification, planning and mitigation. A risk management approach involves continually balancing the protection of agency information and assets with the cost of security controls and mitigation strategies throughout the complete information system development life cycle (see Figure 2-1 above). The most effective way to implement risk management is to identify critical assets and operations, as well as systemic vulnerabilities across the agency. Risks are shared and not bound by organization, revenue source, or topologies. Identification and verification of critical assets and operations and their interconnections can be achieved through the system security planning process, as well as through the compilation of information from the Capital Planning and Investment Control (CPIC) and Enterprise Architecture (EA) processes to establish insight into the agency\u2019s vital business operations, their supporting assets, and existing interdependencies and relationships.<br \/>\nWith critical assets and operations identified, the organization can and should perform a business impact analysis (BIA). The purpose of the BIA is to relate systems and assets with the critical services they provide and assess the consequences of their disruption. By identifying these systems, an agency can manage security effectively by establishing priorities. This positions the security office to facilitate the IT program\u2019s cost-effective performance as well as articulate its business impact and value to the agency.<br \/>\nSDLC OVERVIEW FROM NIST 800-64 SDLC Overview from NIST 800-64 Revision 2<br \/>\n<img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full\" src=\"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-content\/uploads\/exam\/__Page_179_Image_0002.jpg\" \/><br \/>\nNIST 800-64 Revision 2 is one publication within the NISTstandards that I would recommend you look at for more details about the SDLC. It describe in great details what activities would take place and they have a nice diagram for each of the phases of the SDLC. You will find a copy at:<br \/>\n<a href=\"http:\/\/csrc.nist.gov\/publications\/nistpubs\/800-64-Rev2\/SP800-64-Revision2.pdf\" title=\"External link\" rel=\"nofollow noopener\" target=\"_blank\">http:\/\/csrc.nist.gov\/publications\/nistpubs\/800-64-Rev2\/SP800-64-Rev&#8230;<\/a><br \/>\nDISCUSSION:<br \/>\nDifferent sources present slightly different info as far as the phases names are concerned.<br \/>\nPeople sometimes gets confused with some of the NIST standards. For example NIST 800-64 Security Considerations in the Information System Development Life Cycle has slightly different names, the activities mostly remains the same.<br \/>\nNIST clearly specifies that Security requirements would be considered throughout ALL of the phases. The keyword here is considered, if a question is about which phase they would be developed than Functional Design Analysis would be the correct choice.<br \/>\nWithin the NIST standard they use different phase, howeverr under the second phase you will see that they talk specifically about Security Functional requirements analysis which confirms it is not at the initiation stage so it become easier to come out with the answer to this question. Here is what is stated:<br \/>\nThe security functional requirements analysis considers the system security environment, including the enterprise information security policy and the enterprise security architecture. The analysis should address all requirements for confidentiality, integrity, and availability of information, and should include a review of all legal, functional, and other security requirements contained in applicable laws, regulations, and guidance.<br \/>\nAt the initiation step you would NOT have enough detailed yet to produce the Security Requirements. You are mostly brainstorming on all of the issues listed but you do not develop them all at that stage.<br \/>\nBy considering security early in the information system development life cycle (SDLC), you may be able to avoid higher costs later on and develop a more secure system from the start.<br \/>\nNIST says: NIST`s Information Technology Laboratory recently issued Special Publication (SP) 800-64, Security Considerations in the Information System Development Life Cycle, by Tim Grance, Joan Hash, and Marc Stevens, to help organizations include security requirements in their planning for every phase of the system life cycle, and to select, acquire, and use appropriate and cost-effective security controls.<br \/>\nI must admit this is all very tricky but reading skills and paying attention to KEY WORDS is a must for this exam.<br \/>\nReferences:<br \/>\nHARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill\/Osborne, Fifth Edition, Page 956 and NIST S-64 Revision 2 at <a href=\"http:\/\/csrc.nist.gov\/publications\/nistpubs\/800-64-Rev2\/SP800-64-Revision2.pdf\" title=\"External link\" rel=\"nofollow noopener\" target=\"_blank\">http:\/\/csrc.nist.gov\/publications\/nistpubs\/800-64-Rev2\/SP800-64-Rev&#8230;<\/a> and <a href=\"http:\/\/www.mks.com\/resources\/resource-pages\/software-development-life-cycle-sdlc-system-development\" title=\"External link\" rel=\"nofollow noopener\" target=\"_blank\">http:\/\/www.mks.com\/resources\/resource-pages\/software-development-li&#8230;<\/a><\/div>\n<p><\/strong><\/span> <\/div>\n","protected":false},"excerpt":{"rendered":"<p>During which phase of an IT system life cycle are security requirements developed? A. Operation B. Initiation C. Functional design analysis and Planning D. Implementation Show Answer Hide Answer Correct Answer: C Explanation: The software development life cycle (SDLC) (sometimes referred to as the System Development Life Cycle) is the process of creating or altering [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[1078,363,3],"class_list":["post-368","post","type-post","status-publish","format-standard","hentry","category-systems-security-certified-practitioner-sscp","tag-choices","tag-question-0360","tag-systems-security-certified-practitioner-sscp"],"_links":{"self":[{"href":"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-json\/wp\/v2\/posts\/368","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-json\/wp\/v2\/comments?post=368"}],"version-history":[{"count":1,"href":"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-json\/wp\/v2\/posts\/368\/revisions"}],"predecessor-version":[{"id":1444,"href":"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-json\/wp\/v2\/posts\/368\/revisions\/1444"}],"wp:attachment":[{"href":"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-json\/wp\/v2\/media?parent=368"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-json\/wp\/v2\/categories?post=368"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-json\/wp\/v2\/tags?post=368"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}