In which of the following SDLC phases is the system’s security features configured and enabled, the
system is tested and installed or fielded, and the system is authorized for processing?

A.
Initiation Phase

B.
Development/Acquisition Phase

C.
Implementation Phase

D.
Operation/Maintenance Phase

Explanation:
It is the implementation phase, in which the system’s security features are configured and enabled,
the system is tested and installed or fielded, and the system is authorized for processing. A design
review and systems test should be performed prior to placing the system into operation to ensure
that it meets security specifications.
Answer option D is incorrect. In Operation/Maintenance Phase, the system performs its work. The
system is almost always being continuously modified by the addition of hardware and software and
by numerous other events.
Answer option A is incorrect. In the initiation phase, the need for a system is expressed and the
purpose of the system is documented.
Answer option B is incorrect. In Development/Acquisition Phase, the system is designed, purchased,
programmed, developed, or otherwise constructed.
CISM Review Manual 2010, Contents: “Information Security Program Management”