appdv.doc

APPLICATIONS SYSTEMS DEVELOPMENT SECURITY 1. At what stage of the applications development process should the security department become involved? a. Prior to the implementation b. Prior to systems testing c. During unit testing d. During requirements development Answer: d. Reference: Secure Computing(Threats Safeguards); R. Summers; McGraw-Hill; 1997; pg 250. Discussion: Answer a - incorrect - prior to implementation is 7 steps down in the software development life cycle. At this point, security safeguards would be expensive to retrofit. Answer b - incorrect - prior to system test is vague and several steps (5) required preceding it. Answer c - incorrect - unit test is where you would want to test the security of the system. Security dept. should have been involved much earlier. Answer d - correct - Security dept. should be involved at the beginning of the project. It is much easier than adding it later. 2. System Development Controls are based on a. a detailed set of business objectives. b. a logical design for security testing. c. an auditor designated review process. d. a standard methodology for project performance. Answer: d. (Reference: Caelli, Longley, and Shain, Information Security Handbook, Stockton Press, 1991, pg 244) 3. When verifying the key control objectives of a system design, the security specialist should ensure that the a. Final system design has security administrator approval b. Auditing procedures have been defined c. Vulnerability assessment has been completed d. Impact assessment has been approved Answer: c. Reference: HISM, edited by Ruthberg Tipton; Auerbach; 1993, pg 309. Discussion: Answer a - wrong - fabricated distracter Answer b - wrong - a necessary step in the Security Administration process. Answer c - correct - a key step in the System Design process. Answer d - wrong - fabricated distracter. 4. What is the final phase of the system development life-cycle? a. System installation and test b. System maintenan