When in the Software Development Life Cycle (SDLC) MUST software security functional
requirements be defined?

A.
After the system preliminary design has been developed and the data security categorization has
been performed

B.
After the business functional analysis and the data security categorization have been performed

C.
After the vulnerability analysis has been performed and before the system detailed design begins

D.
After the system preliminary design has been developed and before the data security
categorization begins