Risk reduction in a system development life-cycle should be applied:
Click on the arrows to vote for the correct answer
A. B. C. D.D.
Risk is defined as the combination of the probability that a particular threat source will exploit, or trigger, a particular information system vulnerability and the resulting mission impact should this occur.
Previously, risk avoidance was a common IT security goal.
That changed as the nature of the risk became better understood.
Today, it is recognized that elimination of all risk is not cost-effective.
A cost-benefit analysis should be conducted for each proposed control.
In some cases, the benefits of a more secure system may not justify the direct and indirect costs.
Benefits include more than just prevention of monetary loss; for example, controls may be essential for maintaining public trust and confidence.
Direct costs include the cost of purchasing and installing a given technology; indirect costs include decreased system performance and additional training.
The goal is to enhance mission/business capabilities by managing mission/business risk to an acceptable level.
Source: STONEBURNER, Gary & al, National Institute of Standards and Technology (NIST), NIST Special Publication 800-27, Engineering Principles for Information Technology Security (A Baseline for Achieving Security), June 2001 (page 8).
The system development life cycle (SDLC) is a framework used to guide the process of developing and maintaining information systems. It includes several phases, such as initiation, planning, development, testing, deployment, and maintenance.
Risk reduction is an essential part of the SDLC as it helps to identify potential security threats and vulnerabilities and mitigate them to ensure the security of the system. The application of risk reduction techniques should be a continuous process throughout the SDLC.
Option A, "Mostly to the initiation phase," suggests that risk reduction should be applied primarily at the beginning of the SDLC. However, this approach is not sufficient because it does not take into account the changing nature of risks throughout the development process.
Option B, "Mostly to the development phase," suggests that risk reduction should be applied primarily during the development phase. This approach is more appropriate than Option A, but it still neglects other phases of the SDLC where risks may arise.
Option C, "Mostly to the disposal phase," suggests that risk reduction should be applied primarily during the disposal phase. While this is a critical phase for risk reduction, it is not the only phase where risks may arise.
Option D, "Equally to all phases," is the best answer as it suggests that risk reduction techniques should be applied continuously throughout all phases of the SDLC. This approach ensures that all potential security threats and vulnerabilities are identified and mitigated in a timely and effective manner, thereby reducing the overall risk to the system.
In summary, risk reduction techniques should be applied equally to all phases of the SDLC to ensure the security of the system.