System Development Life Cycle Flashcards

1
Q

What 2 approaches or methodologies exist to develop or acquire information systems?

A

Traditional and alternative

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Describe the traditional approach.

A

Requires systematic and disciplined work internally using a system SDLC methodology.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the 5 phases of SDLC?

A

1) Planning/initiation
2) Development/acquisition
3) Implementation/assessment
4) Operation/maintenance
5) Disposal/decommissioning

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Planning/Initiation - System related activities

A

1) Understand functional users request for new system
2) Conduct feasibility study
3) High-level needs assessment
4) Preliminary risk assessment
5) Using decision tables, flowcharts, data flow diagrams - express user needs and system requirements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Planning/initiation - security-related activities

A

1) Security planning document
- security awareness and training plans
- rules of behaviour
- risk assessment
- configuration mgt plan
- contingency plan
- incident response plan
- system interconnection agreements
- security tests and evaluation results
- plan of actions and milestones
(Does not contain a request for proposal, vendor contract plans or statement of work - that is project mgt not security mgt)
2) Sensitivity assessment
3) Security assurance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Development/Acquisition - System related activities

A

1) Performing an in-depth analysis of user needs
2) Performing general and detailed system design work
3) Developing computer programs
4) Conducting unit and system testing
5) Planning desk reviews, mutation analysis, sensitivity analysis for analyzing changes, boundary-value analysis, and error seeding methods during testing
6) Performing quality assurance (QA) and quality control (QC) reviews
7) Doing a detailed risk assessment

During this phase, the system is designed, purchased, programmed, developed, or otherwise constructed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Development/Acquisition - security related activities

A

1) Determining security features, controls, assurances, and operational practices
2) Incorporating these security requirements into security design specifications
3) Actually building or buying these security requirements into the system
4) Conducting design reviews through walkthroughs
5) Preparing test documents with test cases and test procedures with formal specific programming languages
6) Conducting certification and accreditation activities

Possible security threats or vulnerabilities that should be considered during this phase include Trojan horses, incorrect/incomplete program code, poorly functioning software development tools, manipulation of program code, and malicious insiders.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Implementation/Assessment - system related activities

A

1) Providing training to end users and system users
2) Conducting acceptance testing for end users
3) Converting the old system into the new system
4) Developing instruction manuals for system use
5) Performing QA and QC reviews

After acceptance testing and conversion, the system is installed or fielded with a formal authorization from management to put into production status.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Implementation/Assessment - security related activities

A
  • include installing or turning on security controls, performing security tests (e.g., functional tests, penetration tests), and security evaluation report and accreditation statement.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Operation/Maintenance - system related activities

A

1) Doing production operations and support work
2) Performing a postimplementation review
3) Undertaking system maintenance and modification work
4) Monitoring the system’s performance

During this phase, the system is fully operational and doing its work as intended and planned. The system is frequently modified by the addition of new hardware and software and by new functional requirements. The CM process is implemented with baselines and change controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Operation/Maintenance - security related activities

A

1) Security operations and administration (e.g., performing backups, managing cryptographic keys, setting user access accounts, and updating security software)
2) Operational assurance (e.g., conducting system audits and continuous monitoring)
3) Periodic reaccreditation when security is insufficient and when the changes made are significant

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the focus of system requirements in system development?

A

System requirements describe external behavior of a computer system. They focus on what the software is to accomplish. Requirements present unmet user needs and unsolved business problems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the focus of system design in system development?

A

System design describes the internal behavior of a computer system. It focuses on how to develop solutions to unmet user needs and business problems. Design satisfies user needs and solves business problems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the focus of system implementation in system development?

A

System implementation focuses on how to use and operate the software.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Disposal/Decommissioning - system related activities

A
  • include system retirement or replacement plans and media sanitization procedures. The computer system is disposed of (terminated) once the transition to a new computer system is completed.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Disposal/Decommissioning - security related activities

A

1) Disposition of information (i.e., data sanitization), hardware, and software
2) Moving information to archives after considering legal and audit requirements for records retention and the method of retrieving the information in the future
3) Disposition of software after considering licensing terms and agreements (site specific) with the developer, if the agreement prevents the software from being transferred
4) Taking appropriate steps to ensure secure long-term storage of cryptographic keys and for the future use of data if the data have been encrypted

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What should happen when a software intensive system is retired or replaced?

A
  • the data must be migrated by validated means to the new software-intensive system or must be made unreadable before disposal.
  • Note that encrypted data may not be adequately protected if they are weakly encrypted.
  • Simply stated, residual data equals residual risk.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What should be considered with storage devices used in virtualisation process?

A
  • Before a device using a virtualization process permanently leaves an organization (such as when a leased server’s lease expires or when an obsolete personal computer [PC] is being recycled), the organization should remove any sensitive data from the host.
  • Data may also need to be wiped if an organization provides loaner devices to teleworkers, particularly for travel.
  • Note that sensitive data may be found nearly anywhere on a device because of the nature of virtualization.
  • For this reason, an organization should strongly consider erasing all storage devices completely.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What should be considered with regards to basic input/output (BIOS) system?

A
  • in this phase is removing or destroying any sensitive data from the basic input/output system (BIOS) to reduce the chances of accidental data leakage.
  • The configuration baseline should be reset to the manufacturer’s default profile; in particular, sensitive settings, such as passwords, should be deleted from the system, and cryptographic keys should be removed from the key store.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

6 models exist to either develop or acquire information systems.
In practice a combination of these models may be deployed after considering time, cost, skill constraints and trade-offs.
Name the 6 models.

A

1) Waterfall model
2) Rapid application development model
3) Incremental development model
4) Spiral model
5) Rapid prototyping model
6) Object-oriented development model

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Models in system development - waterfall model

A

takes a linear, sequential view of the software engineering process, similar to an SDLC model.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Models in system development - rapid application development model

A
  • opposite to waterfall model
  • good when requirements are not fully understood by both parties
  • uses computer aided software engineering (CASE) tools, fourth generation programming languages (4GLs), and software reuse modules to quickly prototype an information system.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Models in system development - incremental development model

A
  • Although the incremental development model and the evolutionary development models are better than the waterfall model, they are not as good as rapid prototyping in terms of bringing the operational viewpoint to the requirements specification.
  • Successive versions of the system are developed reflecting constrained technology or resources.
24
Q

Models in system development - spiral model

A
  • another type of evolutionary model. - It was developed to provide the best feature of both the classic life cycle approach and prototyping.
25
Q

Models in system development - rapid prototyping model

A
  • is a process that enables the developer to create a model of the software built in an evolutionary manner.
  • Rapid prototyping uses special software and a special output device to create a prototype to design and test a system in three dimensions.
26
Q

Models in system development - object-oriented development model

A
  • is applied once the design model has been created.
  • The software developer browses a library or repository that contains existing program components to determine if any of the components can be used in the design at hand.
  • If reusable components are found, they are used as building blocks to construct a prototype of the software.
27
Q

3 tools exist to develop systems quickly and completely - name them.

A

1) Prototyping
2) Cleanroom software engineering
3) Computer-aided software engineering

28
Q

What is the most troublesome area to handle and control for functional users, IT staff and auditors?

A

Defining software requirements

29
Q

What is the foundation upon which the entire applications software system is built?

A

Defining software requirements

30
Q

What is a major problem with regards to software requirements? And why?

A

The software development staff is working against a moving target.
This occurs because sw requirements are constantly changing due to functional user’s inability to define their requirements clearly and completely, communication problems between functional users and IT staff and natural changes in business functional requirements from internal and external sources over the time frame of the sw development project.

31
Q

What is prototyping?

A

It is the development of a working model with test or real(preferred) data using an iterative approach supported by user and developer interaction.

32
Q

What does prototyping assure?

A

It assures that system requirements are adequately defined and correct through actual user experience in using the model. It also addresses question of timely delivery of completed systems.

33
Q

When is prototyping especially useful?

A

Development of unstructured application systems.

34
Q

Prototyping can be done in many ways. A prototyped system may be:

A

1) developed for a single user or multiple users
2) Programmed in one language for model development and later programmed in or combined with other languages to suit the operational (production) environment
3) Developed for both accounting/financial and non financial systems
4) Developed to address partial or full system functions
5) Developed to build the final(real) system to operate in a production environment.

35
Q

What are important tools used to document the prototype features and functions?

A

Data flow diagrams and data dictionary

36
Q

After an organisation has completed a prototype it has 3 choices.

A

1) Discard prototype - cant be improved or system cant be used
2) Move prototype into production operations as is - usually good choice for application systems with low-volume transactions, operated on regular or irregular basis eg - decision support systems, ad hoc enquiry, onetime, small and simple systems, single-user systems
3) Input to full scale design - good for application systems with high volume transactions, need for quick response time operate on scheduled basis eggs - heavy duty, large and complex and transaction based business application systems

37
Q

Why is cleanroom process or cleanroom software engineering deployed?

A

To ensure software quality

38
Q

What is cleanroom process?

A
  • Programmers do not compile their code
  • Spend more time on design, use a box structure method and analyze their own work
  • When programmers confident of their work, it is submitted to another group, whose members then compile and test the code.
39
Q

What have cleanroom experiments shown?

A
  • Lower error rate in finished sw product

- Increase in productivity across a systems life cycle

40
Q

Cleanroom sw engineering is a concept borrowed from….

A

Cleanroom hw engineering

41
Q

Cleanroom sw engineering is the result of the combined effect of…

A

Statistical QC and proof-of-correctness principles

42
Q

What are the priorities of cleanroom process?

A

1) Defect prevention (not defect removal) - achieved through human verification procedures to ensure proof-of-correctness instead of program debugging
2) Provide QA - measured in terms of mean time to failure (MTTF)
Both priorities lower number of defects per 1000 lines of code before the first executable tests are conducted

43
Q

What is Computer Aided Software Engineering?

A
  • Used to expedite and improve the productivity of software developers work.
  • Provide a 4GL or application generator for fast code writing, flowcharting, data flow diagramming, DD facility and word processing in order to develop and document the new software
  • CASE tools used in prototyping system be developing online screens and reports for end user to view and change.
  • Modern CASE tools called i-CASE (integration)
44
Q

Name 11 alternative approaches to acquire software externally.

A

1) Commercial off-the-shelf sw
2) Customer sw
3) Modificable off-the-shelf sw
4) Government off-the-shelf sw
5) Mobile code sw
6) Freeware
7) Shareware
8) Open source sw
9) Embedded sw
10) Integrated sw
11) SW service from an application service provider

45
Q

Commercial-off-the-shelf (COTS)

A
  • Proprietary sw products
  • Ready made
  • Available for sale to customers
46
Q

Custom SW

A
  • Developed for a specific organisation or function that differs from other already available sw
  • Generally not targeted to the mass market
  • Usually created for interested organisations
47
Q

Modifiable off-the-shelf (MOTS)

A
  • Typically a COTS product whose source code can be modified

- Product may be customised by purchaser, vendor or another party to meet customer requirements

48
Q

Government off-the-shelf

A
  • sw products typically developed by internal IT staff of specific government agency and can be used by other agencies
  • sometimes developed by external contractor, but with funding and product specification from agency
49
Q

Mobile code sw

A
  • Modules are obtained from remote systems, transferred across a network, and then downloaded and executed on local systems without explicit installation or execution by the recipient
  • It is risky because it is passed from one system to another and is used to describe applets within web browsers
50
Q

Freeware

A
  • Is copyrighted sw that is available for use free of charge for an unlimited time
51
Q

Shareware

A
  • Is a marketing method for commercial sw
  • A trial version is distributed in advance and without payment - common for proprietary sw
  • Typically obtained free of charge
  • Also known as try before you buy, demo-ware and trial-ware
  • Although typically obtained free of charge, payment is often required once a set period of time has elapsed after installation
52
Q

Open source sw

A
  • Computer sw whose source code is available under a copyright license that permits users to study, change, and improve the sw as well as to redistribute it in modified or unmodified form.
  • Usually not obtained by a contract, but a fee may be charged for use.
53
Q

8 possible risks from the use of open source sw

A

Not knowing whether:

1) sw is original source or modified version (modified version can introduce malicious code or other vulnerabilities)
2) SW infringes on any copyright or patent
3) SW validates inputs from untrusted sources before being used
4) SW is designed to execute within a constrained execution environment (virtual machine, sandbox, chroot jail, single-purpose pseudo-user and system isolation)
5) SW was measured or assessed for its resistance to identified relevant attack patterns
6) Sw was subjected to thorough security testing with results posted
7) Patches are distributed or whether patches can be uninstalled
8) Vendor practices version mgt

54
Q

Embedded SW

A
  • Part of a large physical system
  • Performs some of the requirements of that system and may or may not provide an interface with the user
  • Internally built within the physical system
55
Q

Integrated SW

A
  • Prime contractor with multiple subcontractors
  • Each subcontractor provides a specific piece of sw product and/or service for the sw-intensive system
  • Prime contractor responsible for integrating all the pieces into a whole sw intensive system, or that contractor may hire a separate contractor to integrate it
56
Q

Application Service Provider (ASP)

A
  • Supplier provides sw as a service instead of a stand alone sw product.
  • SW acquirers should consider governance of these services (computer programs, processes and procedures in place to ensure that things are done right in accordance with best practises and principles)
  • Here user organisation is acquiring services not products
57
Q

When considering alternative approaches to sw, application owners and acquirers should seek to reduce or manage risks. Highly recommended that due care principles are applied and due diligence reviews performed. What analyses should application owners and acquirers perform to reduce risk:

A

1) Evaluate alternative for treatment of risks (accept, mitigate, avoid, transfer or share with 3rd party)
2) Identify protection strategies that reduce risk to acceptable tolerance
3) Identify potential trade-offs among decreased risks, increased costs and decreased operational effectiveness and efficiency
4) Identify approaches for managing residual risks that remain after protection strategies are adopted