What is the appropriate role of the security analyst in the application system development or acquisition
project?

A.
policeman

B.
control evaluator & consultant

C.
data owner

D.
application user

Explanation:
The security analyst contributes to the development of policies, standards, guidelines, and baselines. They help
define the security controls and ensure the security controls are being implemented and maintained. This role is
fulfilled through consultation and evaluation.
Incorrect Answers:
A: During system development or acquisition, there should be no need of anyone filling the role of policeman.
C: The data owner is responsible for the protection of the data used by the application and can decide what
security controls would be required to protect the Databased on the sensitivity and criticality of the data.
D: The application user is an individual who uses the application for work-related tasks. The user must have the
necessary level of access to the data to perform the duties within their position. The application user is not
responsible for implementing or evaluating security measures.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, pp. 114, 121-122, 123,
125