During which phase of an IT system life cycle are security requirements developed?

A.
Operation

B.
Initiation

C.
Development

D.
Implementation

Explanation:
In this phase, user needs are identified and the basic security objectives of the
product are acknowledged. It must be determined if the product will be processing sensitive data,
and if so, the levels of sensitivity involved should be defined. An initial risk analysis should be
initiated that evaluates threats and vulnerabilities to estimate the cost/
benefit ratios of the different security countermeasures. Issues pertaining to security
integrity, confidentiality, and availability need to be addressed. The level of each security
attribute should be focused upon so a clear direction of security controls can begin
to take shape. A basic security framework is designed for the project to follow, and risk
management processes are established. Risk management will continue throughout the lifetime of
the project. Risk information may start to be gathered and evaluated in the
project initiation phase, but it will become more granular in nature as the phases graduate
into the functional design and design-specification phase.