Security Life Cycles Flashcards

1
Q

System Life Cycles

A
  1. Computer Systems: Virtually all businesses rely on computer systems to support their various processes.
  2. Life Cycle: Computer systems have a life cycle that includes multiple stages from inception to end of life.
  3. Information/Data: Information or data is the core element of any business, and it plays a crucial role in system functionality.
  4. Software: Software is responsible for running applications and processing the information within computer systems.
  5. System: The system encompasses both the information/data and software components, along with the operational processes.
  6. Life Cycle Stages: The life cycle of computer systems involves stages such as inception, development, implementation, operation, maintenance, and end of life.
  7. Management: Effective management of the system life cycle is essential for maintaining system performance, security, and efficiency.
  8. Continuous Improvement: Throughout the life cycle, organizations should strive for continuous improvement by evaluating and enhancing system components and processes.
  9. Documentation: Documentation is crucial at each stage of the life cycle to ensure clarity, traceability, and effective management of the system.
  10. Compliance: It is important to adhere to industry standards, regulations, and best practices throughout the life cycle to ensure system integrity and protect business interests.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which of the following statements accurately describes the life cycle of computer systems?

A) The life cycle of computer systems includes only the software component.

B) Information or data is not a critical element in the life cycle of computer systems.

C) The system life cycle involves stages such as inception, development, implementation, operation, maintenance, and end of life.

D) Documentation is not necessary at any stage of the computer system life cycle.

A

C. The system life cycle typically involves stages such as inception, development, implementation, operation, maintenance, and end of life.

These stages encompass the various processes and activities related to the system’s existence and usage.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Information Life Cycle

A

The information within a business goes through a life cycle from creation to disposal.

  • The goal is to protect the information to ensure it is accessed when needed and by authorized individuals.
  • The information life cycle can be viewed from different perspectives and models.
  • The data and information life cycle typically consists of three main phases: Acquisition, Utilization, and Disposal.

Acquisition phase involves gathering and obtaining the information needed for business operations.

Utilization phase focuses on using and managing the information effectively and efficiently.

Disposal phase involves securely discarding or archiving the information once it is no longer needed.

  • Each phase requires appropriate security measures and controls to safeguard the information.
  • The information life cycle is an ongoing process that requires continuous monitoring and evaluation.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the following correctly represents the phases of the information life cycle?

A) Creation, Preservation, Destruction
B) Acquisition, Utilisation, Maintenance
C) Acquisition, Utilisation, Disposal
D) Creation, Utilisation, Disposal

A

C) Acquisition, Utilisation, Disposal

The data and information life cycle typically consists of three main phases: Acquisition, Utilization, and Disposal.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Acquisition

A

Acquisition phase involves obtaining information within the organization, either through internal processes or external sources. It is the first stage of information life cycle

  • Evaluation of value and sensitivity is important during acquisition.
  • Value can be assessed in terms of its contribution to revenue generation or its core importance to the business.
  • Two values to consider: value to the organization itself and value to external entities if they were to acquire and exploit the information.

Sensitivity of the information is also assessed, both internally and externally:

  • Internal sensitivity involves restricting access to certain information within the organization, such as business plans or HR details.
  • External sensitivity refers to the potential harm caused by the leakage of sensitive information to individuals or the organization’s reputation.
  • Classification of data is applied based on its value and sensitivity.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the two considerations when evaluating information during the acquisition phase?

A) Value and Sensitivity

B) Availability and Reliability

C) Authenticity and Integrity

D) Confidentiality and Compliance

A

A) Value and Sensitivity

During the acquisition phase, when information comes into the organization, it needs to be evaluated for its value and sensitivity.

  1. Value: The value of the information to the organization itself is important to assess. This refers to how crucial the information is for the functioning and success of the business. Intellectual property or proprietary information, for example, can have significant value in terms of revenue generation or being core to the business’s operations.
  2. Sensitivity: Sensitivity refers to the level of confidentiality or protection required for the information. It involves considering the potential impact if the information is disclosed or accessed by unauthorized individuals. There are both internal and external sensitivity considerations:
    * Internal sensitivity: Information such as business plans or HR details should not be widely known within the organization to maintain confidentiality and prevent misuse.
    * External sensitivity: Certain information, if leaked or acquired by external parties, may cause harm to individuals or damage the organization’s reputation.

Assessing the value and sensitivity of the information helps determine the appropriate level of protection and classification it should receive within the organization. This ensures that proper security measures are in place to safeguard valuable and sensitive information from unauthorized access, disclosure, or theft.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which of the following is a consideration when evaluating the value and sensitivity of information during the acquisition phase?

A) The physical location of the information

B) The number of employees involved in the acquisition process

C) The potential revenue generation from the information

D) The level of encryption used to protect the information

A

C) The potential revenue generation from the information.

During the acquisition phase, evaluating the value and sensitivity of information involves considering its importance and impact on the organization. One aspect of value assessment is determining the potential revenue generation that the information can contribute to the business. If the information is valuable in terms of its ability to generate revenue, it becomes crucial to protect it adequately and prevent unauthorized access or theft.

While the other options may be relevant in certain contexts, they are not directly related to the evaluation of value and sensitivity during the acquisition phase. The physical location of the information and the number of employees involved may have implications for security and access control but do not directly assess the value or sensitivity of the information. The level of encryption, on the other hand, pertains to the security measures applied to protect the information but does not specifically address its value or revenue potential.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Classification

A

This is where we apply labels to information indicating its level of sensitivity.
- Different protective measures are applied based on the applied label.
- Government and military systems use protective markings for information protection.
- Common labels include: Top Secret, Secret, Confidential, Unclassified.
- Business world labels may vary, such as: Company confidential, Internal use only, Public.

Advantages of classification:
- Awareness: Once the label is applied, individuals handling the information are aware of how it should be protected and handled.
- Influence on handling: Labels may influence storage, transmission, and encryption of sensitive data.

Acquisition phase of the information life cycle:
- Planning: Arranging to acquire the information.
- Identification: Establishing what it is and in what format
- Classification: Applying labels based on value and sensitivity.
- Source: Identifying the origin and form of the information.

By understanding the classification process, individuals can handle and protect information according to its assigned label, ensuring appropriate security measures are applied throughout its lifecycle.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the purpose of applying labels to information during the classification phase of the information life cycle?

A) To determine the format of the information

B) To establish the source of the information

C) To indicate the level of sensitivity

D) To identify the planning requirements for acquiring the information

A

C) To indicate the level of sensitivity.

Applying labels to information during the classification phase helps indicate the level of sensitivity, which in turn determines the protective measures and handling requirements for that information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

During the acquisition phase of the information life cycle, what is the purpose of identification?

A) Assessing the value and sensitivity of the information

B) Determining the protective measures for the information

C) Establishing where the information has come from and in what form

D) Planning and arranging to acquire the information

A

C) Establishing where the information has come from and in what form.

During the identification phase of the acquisition process, the focus is on understanding the origin and format of the information. This helps in determining its source, whether it was created internally or received from external sources, and the specific format in which it exists. This information is crucial for proper handling, storage, and classification of the acquired data. Assessing the value and sensitivity of the information is done during the classification phase, not the identification phase.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Utilization

A

Utilization is the second stage of the information life cycle, focusing on how the information is used.
It involves various aspects such as storage, processing, sharing/transmission, validity, integrity, and archiving.

  • Storage involves keeping and protecting the information on secondary storage devices, such as hard disks.
  • Access controls and encryption at rest help protect stored information from unauthorized access and disclosure.
  • Processing information may require decryption, so secure processing environments with limited access are essential.
  • Sharing information involves considering who has access, their permission levels, and applying the principles of “need to know” and “least privilege.”
  • Protecting information during transmission can be achieved through encryption of the information itself or securing the communication channel with technologies like VPN.
  • Ensuring the information is current, valid, and reliable is crucial, and integrity measures such as hashing or checksums can be used to validate data integrity.
  • Access controls also contribute to maintaining the integrity of information by restricting unauthorized modification.

Overall, utilization focuses on securely storing, processing, sharing, and maintaining the integrity of information within a business context.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which of the following measures helps maintain the integrity of information during its utilization phase?

A) Access controls and encryption at rest

B) Limiting access to processing servers

C) Applying “need to know” and “least privilege” principles

D) Encrypting the information during transmission

A

B) Limiting access to processing servers.

While applying “need to know” and “least privilege” principles (option C) is important for sharing information, it specifically pertains to controlling access rights. In the context of maintaining the integrity of information during its utilization phase, limiting access to processing servers helps ensure that only authorized individuals or systems can interact with the information during processing, reducing the risk of unauthorized modifications or tampering.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

During the utilization phase of the information life cycle, which measure helps ensure the reliability and trustworthiness of the information being processed?

A) Least privilege

B) Encryption at rest

C) Integrity measures

D) Access controls

A

C) Integrity measures.

During the utilization phase of the information life cycle, integrity measures are used to ensure the reliability and trustworthiness of the information being processed. Integrity measures help to ensure that the information has not been altered, tampered with, or modified in an unauthorized manner. This can be achieved through various techniques such as hashing, checksums, digital signatures, and access controls.

Integrity measures are crucial for maintaining the accuracy and consistency of information, and they help in detecting any unauthorized modifications or data corruption. By validating the integrity of the information, organizations can have confidence in the reliability of the data they are working with and make informed decisions based on it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

During the utilization phase of the information life cycle, which of the following measures helps protect information while it is being transmitted over a network?

A) Encryption of the communication channel

B) Access controls to limit who can access the information

C) Hashing or checksums for data validation

D) Least privilege principle for granting access permissions

A

A) Encryption of the communication channel.

During the utilization phase of the information life cycle, when information is being transmitted over a network, encrypting the communication channel provides protection for the information. Encryption ensures that even if the transmitted data is intercepted, it remains secure and unreadable to unauthorized individuals. By encrypting the communication channel, the information itself can be transmitted in an unencrypted format, but the secure connection safeguards its confidentiality and integrity. This measure helps prevent unauthorized access and eavesdropping on the transmitted data, ensuring its privacy and protection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

During the utilization phase of the information life cycle, which of the following measures helps ensure the reliability and trustworthiness of the information?

A) Implementing access controls

B) Encrypting the storage medium

C) Archiving the information

D) Validating the information’s integrity through checksums

A

A) Implementing access controls.

During the utilization phase of the information life cycle, implementing access controls helps ensure the reliability and trustworthiness of the information. Access controls allow organizations to define and enforce restrictions on who can access the information and at what level. By granting access only to authorized individuals based on their roles and responsibilities, organizations can prevent unauthorized modifications or misuse of the information, thereby maintaining its integrity and trustworthiness.

Option B (Encrypting the storage medium) focuses on protecting the confidentiality of the information by encrypting the storage medium, but it does not directly address the reliability and trustworthiness of the information.

Option C (Archiving the information) refers to the process of long-term retention and preservation of information, which is important for compliance and historical purposes but does not directly relate to reliability and trustworthiness.

Option D (Validating the information’s integrity through checksums) is a valid measure to ensure the integrity of the information during transmission or storage. However, access controls are specifically designed to regulate access and prevent unauthorized modifications, making them more directly relevant to reliability and trustworthiness.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the purpose of access controls in information security?

A) To encrypt data at rest
B) To protect information during transmission
C) To ensure the confidentiality, integrity, and availability of information
D) To authenticate users and grant appropriate permissions

A

C) To ensure the confidentiality, integrity, and availability of information.

Access controls in information security are mechanisms that are implemented to manage and regulate access to information resources. They are used to protect the confidentiality of sensitive data, maintain the integrity of information by preventing unauthorized modifications, and ensure the availability of information to authorized users.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Which measure helps ensure the confidentiality of information during transmission over a network?

A) Encryption
B) Access controls
C) Archiving
D) Validation

A

A) Encryption

The measure that helps ensure the confidentiality of information during transmission over a network is encryption. By encrypting the information prior to transmission, even if it is intercepted, it remains secure and unreadable to unauthorized individuals. Encryption is an essential method for protecting sensitive data while it is in transit.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Disposal

A

Disposal is the final stage of the information life cycle and involves the destruction of information that is no longer needed.

  • Before disposal, there may be an interim stage of archiving, where information is retained for business or legal reasons based on the data retention policy.
  • Archived information is often stored offline, such as on magnetic tapes, and security measures like encryption and physical access controls should be applied.
  • Disposal methods depend on the sensitivity of the information:
    • Simple deletion of files is not sufficient, as data can be recovered using file recovery tools.
    • Formatting the hard disk with a full format may render data inaccessible, but remnants can still be recovered.
    • The best way to ensure data destruction is to physically destroy the storage medium.
  • Defensible destruction refers to the validation of the destruction process, ensuring that information is irrecoverable.
  • Proper disposal and destruction of information are crucial to prevent unauthorized access and maintain data security.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is the recommended method for ensuring the complete destruction of sensitive information during disposal?

A) Simple deletion of files
B) Formatting the hard disk with a full format
C) Archiving the information offline
D) Physically destroying the storage medium

A

D) Physically destroying the storage medium.

Explanation: When disposing of sensitive information, simply deleting files or formatting the hard disk may not be sufficient to ensure the complete destruction of the data. Basic file recovery tools or remnants of data can still be recovered from these methods. The recommended method for complete destruction is to physically destroy the storage medium. This ensures that there is no possibility of data recovery and eliminates any potential data remanence.

By physically destroying the storage medium, such as shredding it or using specialized destruction techniques, the data becomes permanently inaccessible and irretrievable. This method provides a higher level of assurance that the sensitive information cannot be recovered or compromised.

Therefore, option D) Physically destroying the storage medium is the correct choice for ensuring the complete destruction of sensitive information during disposal.

20
Q

Which of the following is an essential consideration during the disposal stage of the information life cycle?

A) Data retention policy
B) Archiving information offline
C) Encrypting information prior to disposal
D) Physically destroying the storage medium

A

D) Physically destroying the storage medium.

During the disposal stage of the information life cycle, it is crucial to ensure that the information is permanently and irrecoverably destroyed. Simply deleting files or formatting the storage medium may not be sufficient to prevent data recovery. Physically destroying the storage medium, such as shredding or degaussing it, guarantees that the information cannot be retrieved. This ensures the highest level of security and mitigates the risk of data remanence. A data retention policy (choice A) is relevant during the archiving stage, and encrypting information prior to disposal (choice C) can provide an additional layer of security, but physical destruction is the most effective method to prevent data recovery.

21
Q

Which of the following is an essential consideration during the archiving stage of the information life cycle?

A) Encrypting the information prior to archiving.

B) Implementing access controls to limit physical access to archived information.

C) Performing regular integrity checks on archived data.

D) Defining a data retention policy for archived information.

A

D) Defining a data retention policy for archived information.

During the archiving stage of the information life cycle, it is crucial to have a well-defined data retention policy. This policy outlines how long the archived information should be retained based on business or legal requirements. By establishing a data retention policy, organizations ensure compliance with regulatory obligations and avoid unnecessary storage of outdated or irrelevant data.

Implementing a data retention policy helps in efficient management of archived information, reduces storage costs, and facilitates timely disposal of data when it is no longer needed. It provides clarity on the retention periods for different types of data and helps organizations maintain data privacy and security throughout the information life cycle.

22
Q

An alternative model of the information life cycle

A

An alternative model of the information life cycle is represented by the acronym CSUSAD.
- CSUSAD stands for Create, Store, Use, Share, Archive, and Destroy.
- Create (Acquisition): This stage involves obtaining or acquiring the information.
- Store: The information is stored on a disk or other persistent medium.
- Use: The information is utilized and processed as part of daily job activities.
- Share: The information may be securely shared with others as required.
- Archive: At the end of its working life, the data may be stored in an archive for future retrieval when necessary.
- Destroy: Information is destroyed either at the end of its life or after the retention period specified in the archive has expired.
- CSUSAD is an alternative representation of the information life cycle, which aligns with the stages of acquisition, storage, utilization, sharing, archiving, and destruction.

23
Q

Which of the following represents the stages of the information life cycle in the CSUSAD model?

A) Creation, Storage, Usage, Destruction
B) Capture, Securing, Usage, Archiving
C) Creation, Sharing, Utilization, Disposal
D) Create, Store, Use, Share, Archive, Destroy

A

D) Create, Store, Use, Share, Archive, Destroy

The stages of the information life cycle in the CSUSAD model are Create, Store, Use, Share, Archive, and Destroy.

24
Q

Which stage of the information life cycle involves retaining data for future retrieval after it is no longer actively used?

A) Create
B) Store
C) Use
D) Archive

A

D) Archive.

The stage of archiving involves retaining data for future retrieval after it is no longer actively used. Archiving allows organizations to store data in a separate location or medium to free up primary storage space while still maintaining the ability to access the information when needed.

25
Q

What are the three data states?

A

Data in rest
Date in transit/motion
Data in use

26
Q

Testing Audit and Review of Systems

A

Purpose: To establish functional and secure systems that meet the needs of the business.

  • Testing Process:
    • Initial testing during system development.
    • Periodic testing to ensure the security footprint hasn’t changed.
  • Importance of Periodic Testing:
    • Technology changes, new threats emerge, and business processes may change over time.
    • Periodic testing helps maintain a secure state.
  • Accuracy and Comprehensiveness of Testing:
    • Testing should be accurate and comprehensive to derive value from the process.
  • Test Report:
    • Open and honest reporting, including both good and bad news.
  • Sections in the report:
    • Executive summary for senior management.
    • Detailed technical content of findings for practitioners.
  • Protection of Test Report:
    • The report may contain sensitive information on vulnerabilities.
    • It should be treated as a sensitive document with controlled access.
    • Protecting the report from falling into the wrong hands is crucial.
  • Verification of Security Alignment:
    • Testing should verify if information security architecture, policies, and procedures align with business goals and objectives.
    • Assess if security still supports the business and if people are following policies.
    • Identify shortcomings and determine necessary changes.
27
Q

Which of the following is an essential element of periodic testing for maintaining a secure state?

A) Conducting tests only during system development

B) Performing tests sporadically without a predefined schedule

C) Producing a test report that highlights only positive outcomes

D) Verifying that security measures align with the goals of the business

A

D) Verifying that security measures align with the goals of the business.

Periodic testing helps ensure that the implemented security measures still support the business objectives. It helps identify any shortcomings and determines the necessary changes to maintain a secure state.

28
Q

During the testing and audit process of systems, which of the following is a key consideration for generating an effective test report?

A) Providing an accurate and comprehensive assessment of vulnerabilities.

B) Including only technical details without an executive summary.

C) Ensuring the report is accessible to all employees in the organization.

D) Hiding any negative findings to maintain a positive image.

A

A) Providing an accurate and comprehensive assessment of vulnerabilities.

During the testing and audit process, it is crucial to generate an effective test report that accurately identifies and communicates the vulnerabilities found in the system. The report should provide a comprehensive assessment, highlighting both strengths and weaknesses, to ensure that necessary actions can be taken to address any identified vulnerabilities and improve the security of the system.

29
Q

Logs and Monitoring

A

Logs and monitoring provide valuable information about system activities and users’ actions.

  • Log files record system events and user activities, including who performed them.
  • Monitoring allows real-time observation of system operations and helps identify trends and potential issues.
  • SOC (Security Operations Centre) is the central hub for managing security activities, including threat management and change management.
  • SIEM (Security Information and Event Management) is a system that collects and correlates log information from various sources, providing a centralized view of system activity and generating reports and alerts.
  • The retention policy determines how long logs should be kept. The typical retention period is six months, although regulatory requirements may extend this duration.
  • Log management is crucial as it involves storing and protecting log data, which increases as the amount of logs retained increases.
30
Q

What is the purpose of Security Information and Event Management (SIEM) in the context of logs and monitoring?

A) To store and protect log files
B) To monitor real-time system operations
C) To manage security activities in a centralized hub
D) To correlate log information and generate reports/alerts

A

D) To correlate log information and generate reports/alerts.

SIEM (Security Information and Event Management) systems are designed to collect and analyse log information from various sources, such as network devices, servers, and applications. By correlating this information, a SIEM can provide a centralized view of activity, generate reports, and raise alerts for potential security incidents or anomalies.

31
Q

Which of the following is a key consideration when determining the retention period for log files?

A) The size of the log files
B) The regulatory requirements or organizational policies
C) The number of system users
D) The type of security incidents detected

A

B) The regulatory requirements or organizational policies.

When determining the retention period for log files, organizations need to consider any applicable regulatory requirements that specify a minimum retention period. Additionally, organizations may have their own internal policies or guidelines that dictate how long log files should be retained for auditing, compliance, or security purposes.

32
Q

Which of the following terms refers to a centralized system that correlates log information from multiple sources and provides a centralized view of activity with reporting and alerting capabilities?

A) SOC
B) SIEM
C) Logs and Monitoring
D) Retention Policy

A

B) SIEM.

SIEM stands for Security Information and Event Management, which is a centralized system that collects, correlates, and analyses log information from various sources to provide a comprehensive view of system activity, along with reporting and alerting features.

33
Q

Software Development Life Cycles (SDLC)

A

Software Development Life Cycle (SDLC) involves stages from initial concept to production or operations.

  • Typical stages of SDLC include Planning, Design, Development, Testing, Deployment, and Maintenance.

 Planning – what do we want?
 Design – what will it look like?
 Development – let’s build it
 Testing – does it work?
 Deployment- let’s use it
 Maintenance – let’s make it better

  • Security is integrated into the development process at every stage.
  • The SDLC ends when the product is deployed into production.
  • The System Life Cycle (SLC) includes the operation, maintenance, and disposal phases in addition to the stages of SDLC.
34
Q

Which of the following best describes the relationship between the Software Development Life Cycle (SDLC) and the System Life Cycle (SLC)?

A) SDLC includes the operation, maintenance, and disposal phases of software development.

B) SLC is a separate cycle that begins after the completion of the SDLC.

C) SDLC and SLC are two different terms for the same concept.

D) SDLC and SLC are unrelated and independent processes.

A

B) SLC is a separate cycle that begins after the completion of the SDLC.

The software development life cycle (SDLC) ends when the product goes into production, and the operation and maintenance phase would be part of the System Life Cycle (SLC). This indicates that the SLC is a separate cycle that follows the completion of the SDLC.

35
Q

Which stage of the Software Development Life Cycle (SDLC) focuses on verifying whether the software works correctly?

A) Planning
B) Design
C) Development
D) Testing

A

D) Testing.

The testing stage of the SDLC is responsible for verifying and validating the software to ensure that it functions correctly and meets the desired requirements. It involves various testing activities such as unit testing, integration testing, system testing, and acceptance testing to identify any defects or issues before the software is deployed.

36
Q

Planning, Design and Development

A

Planning:
- A new software product starts as a concept or vision.
- Identify user requirements and functional requirements.
- Conduct a risk assessment to determine if the project introduces or increases risk.
- Security considerations should be addressed from the outset.

Design:
- Translate functional requirements into design specifications.
- Use design diagrams and flow charts to establish the program’s architecture.
- Consider security implications and ensure no additional risks are introduced.
- Begin considering testing requirements.

Development:
- Code the software in individual units.
- Integrate the units to create a single entity.
- Emphasize security by using safe functions, secure coding principles, and best practices.
- Testing should be a separate activity performed by dedicated testers.

37
Q

During which stage of the Software Development Life Cycle (SDLC) is the program coded as individual units and then integrated into a single entity?

A) Planning
B) Design
C) Development
D) Testing

A

C) Development.

During the development stage of the Software Development Life Cycle (SDLC), the program is coded as individual units or modules. These units are then integrated with each other to form a single functioning entity. This stage involves writing the actual code based on the design specifications and requirements outlined in the previous stages. The development stage focuses on translating the design into a working software application while considering security aspects, such as using safe functions, secure coding principles, and best practices to minimize potential security flaws.

38
Q

Testing: Deployment and Maintenance

A

Testing is a distinct activity where the finished product is evaluated against design, functionality, and security objectives

There are several stages of testing:
* User acceptance testing - put users in front of it, can they use it and does it do what they expected?
* Site acceptance testing - the application or system is tested in the context of the environment where it is likely to be used
* Final acceptance testing - this leads to the certification and accreditation of the product for use within the business

  • Certification is obtained as documentary evidence that the product is both functional and secure.
  • Security testing should be signed off by the Information Security Manager.
  • Accreditation is the process where senior management authorizes the product for transition to production.
  • Periodic reaccreditation may be required to ensure the product remains fit for purpose.
  • Deployment involves putting the product into production, staff training, and developing operational procedures.
  • Maintenance phase begins after deployment and involves bug fixes, patches, and improvements to the product’s operation and functionality.
  • The software should mature over its life, becoming more functional, stable, and secure.
39
Q

Which of the following is NOT a stage of testing mentioned in the text?

A) User acceptance testing
B) Site acceptance testing
C) Final acceptance testing
D) Post-deployment testing

A

D) Post-deployment testing

There are several stages of testing:
* User acceptance testing - put users in front of it, can they use it and does it do what they expected?

  • Site acceptance testing - the application or system is tested in the context of the environment where it is likely to be used
  • Final acceptance testing - this leads to the certification and accreditation of the product for use within the business
40
Q

“Which of the following objectives is NOT evaluated during the testing phase?”

A) Design
B) Functionality
C) Security
D) Performance

A

D) Performance

Testing is a distinct activity where the finished product is evaluated against several objectives:

  • Design – has it fulfilled the original design requirements?
  • Functionality – does it do what it is designed to do?
  • Security – does it do what it is designed to in a secure manner?
41
Q

Off the Shelf

A
  • Outsourcing Software Development:
    • Strong contract language and oversight required.
    • Offshore outsourcing raises cultural and legal issues.
    • Risk of malware when dealing with unknown parties.
    • Choose organizations with a proven track record and maturity.
  • Commercial Off the Shelf Applications (COTS):
    • Test COTS software prior to acceptance.
    • Consider vendor credibility, ongoing support, and maintenance.
    • Verify the legitimacy and licensing of the software.
    • Access to source code may or may not be available.
  • Source Code:
    • In-house development grants ownership of the source code.
    • External development may have restrictions on source code rights.
    • Commercial software usually provides only compiled code.
  • Software Escrow:
    • Software escrow stores source code with a third party.
    • Ensures access to source code if the supplier goes out of business.
  • Patching:
    • All software applications have bugs and vulnerabilities.
    • Patches are used to fix discovered problems.
    • Evaluate and test patches before applying to avoid regression.
42
Q

When acquiring software off the shelf, what should be considered regarding the vendor?

A) Their financial stability
B) Their corporate social responsibility
C) Their marketing strategies
D) Their office location

A

A) Their financial stability

When purchasing off-the-shelf software, it is important to consider the vendor’s financial stability to ensure long-term support and maintenance of the product.

43
Q

What is the purpose of software escrow?

A) To protect the software vendor’s intellectual property rights

B) To ensure compliance with software licensing agreements

C) To provide access to the source code in case the vendor goes out of business

D) To manage the software procurement process efficiently

A

C) To provide access to the source code in case the vendor goes out of business

Software escrow is a process where a copy of the source code is held by a third party. Its purpose is to ensure that if the software vendor goes out of business, the source code can be made available to customers for maintenance and continued use of the software.

44
Q

Change Management

A

Change management is a well-managed process to handle changes in an environment, such as revising an application or applying patches.

Changes must be carefully managed to avoid security breaches, increased risk, and disruptions to the business.

  • The change management process typically involves several stages:
    1. Request for change: A change request is made.
    2. Review and approval: The change request is evaluated by a change architecture board or steering committee, and it may be approved or denied.
    3. Viability testing: Approved changes are tested to ensure their feasibility.
    4. Scheduling and communication: The change is scheduled, and users are informed.
    5. Implementation: The change is implemented, with a full backup carried out beforehand.
    6. Evaluation and feedback: The change is evaluated for success, and user feedback is collected.
    7. Documentation update: All relevant documentation is updated to reflect the change.
  • The review stage of change management should involve the Information Assurance department to ensure that risks are assessed and software integrity is maintained.
  • Questions asked during the review stage may include the reason for the change, its purpose, associated risks and costs, and the expected benefits.
  • It is crucial to have a contingency plan (plan B) in case the change fails, including a rollback to the system state before the change.
45
Q

During the change management process, which department should provide input to ensure software integrity and mitigate risks?

A) Human Resources
B) Information Assurance
C) Finance and Accounting
D) Operations and Production

A

B) Information Assurance

In the change management process, it is crucial to involve the appropriate departments to assess risks and maintain software integrity. Among the options provided, the department that should provide input in this context is Information Assurance. They specialize in ensuring the security and integrity of information systems.

46
Q

What is one of the key questions to be addressed during the review stage of the change management process?

A) How many resources are required for the change?
B) What is the estimated timeline for completing the change?
C) What is the anticipated cost of the change?
D) Why is the change being requested?

A

D) Why is the change being requested?

During the review stage of the change management process, various aspects of the change are assessed. One key question that needs to be addressed is why the change is being requested. Understanding the purpose and rationale behind the change is crucial in evaluating its feasibility and potential impact.