At what stage of the applications development process should the security department become involved?

A.
Prior to the implementation

B.
Prior to systems testing

C.
During unit testing

D.
During requirements development

Explanation:
The security department would be busy in the development phase as it includes the follow security related
activities:
Security functional requirements analysis
Identifies the protection levels that must be provided by the system to meet all regulatory, legal, and policy
compliance needs.
Security assurance requirements analysis
Identifies the assurance levels the system must provide. The activities that need to be carried out to ensure
the desired level of confidence in the system are determined, which are usually specific types of tests and
evaluations.
Security plan
Documented security controls the system must contain to ensure compliance with the company’s security
needs.
Security test and evaluation plan
Outlines how security controls should be evaluated before the system is approved and deployed.
Incorrect Answers:
A: It would be too late to involve the security department during the implementation phase.
B: It would be too late to involve the security department during Testing Phases including the System Testing
phase.
C: It would be too late to involve the security department during the Unit Testing phase.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 1091