Risk analysis is MOST useful when applied during which phase of the system development process?

A.
Project initiation and Planning

B.
Functional Requirements definition

C.
System Design Specification

D.
Development and Implementation

Explanation:
ExplanationExplanation/Reference:

The Systems Development Life Cycle (SDLC), also called the Software Development Life Cycle or simply the
System Life Cycle, is a system development model. There are many variants of the SDLC, but most follow (or
are based on) the National Institute of Standards and Technology (NIST) SDLC process.
NIST Special Publication 800-14 states: “Security, like other aspects of an IT system, is best managed if
planned for throughout the IT system life cycle. There are many models for the IT system life cycle but most
contain five basic phases: initiation, development/acquisition, implementation, operation, and disposal.”
Additional steps are often added, most critically the security plan, which is the first step of any SDLC.
The following overview is summarized from the NIST document, in which the first two steps relate to Risk
analysis:
1. Prepare a Security Plan—Ensure that security is considered during all phases of the IT system life cycle,
and that security activities are accomplished during each of the phases.
2. Initiation—The need for a system is expressed and the purpose of the system is documented.
3. Conduct a Sensitivity Assessment—Look at the security sensitivity of the system and the information to be
processed.
4. Development/Acquisition
5. Implementation
6. Operation/Maintenance
Incorrect Answers:
B: Risk analysis is not a critical part of the Functional Requirements definition.
C: Risk analysis is not a critical part of the System Design Specification.
D: Risk analysis is not a critical part of Development and Implementation.

Conrad, Eric, Seth Misenar and Joshua Feldman, CISSP Study Guide, 2nd Edition, Syngress, Waltham, 2012,
pp. 182-183