appde.docVIP

APPLICATIONS SYSTEMS DEVELOPMENT SECURITY1. At what stage of the applications development process should the security department become involved?a. Prior to the implementationb. Prior to systems testingc. During unit testingd. During requirements developmentAnswer: d.Reference: Secure Computing(Threats Safeguards); R. Summers; McGraw-Hill; 1997; pg 250.Discussion:Answer a - incorrect - prior to implementation is 7 steps down in the software development life cycle. At this point, security safeguards would be expensive to retrofit.Answer b - incorrect - prior to system test is vague and several steps (5) required preceding it.Answer c - incorrect - unit test is where you would want to test the security of the system. Security dept. should have been involved much earlier.Answer d - correct - Security dept. should be involved at the beginning of the project. It is much easier than adding it later.2. System Development Controls are based on a. a detailed set of business objectives.b. a logical design for security testing.c. an auditor designated review process.d. a standard methodology for project performance.Answer: d.(Reference: Caelli, Longley, and Shain, Information Security Handbook, Stockton Press, 1991, pg 244)3. When verifying the key control objectives of a system design, the security specialist should ensure that thea. Final system design has security administrator approvalb. Auditing procedures have been definedc. Vulnerability assessment has been completedd. Impact assessment has been approvedAnswer: c.Reference: HISM, edited by Ruthberg Tipton; Auerbach; 1993, pg 309.Discussion: Answer a - wrong - fabricated distracterAnswer b - wrong - a necessary step in the Security Administration process.Answer c - correct - a key step in the System Design process.Answer d - wrong - fabricated distracter.4. What is the final phase of the system development life-cycle?a. System installation and testb. System maintenance supportc. System certificationd.