Waterfall model is incorrect because it will not bring the operational viewpoint to the requirements phase until the system is completely implemented. Although the incremental development model and the evolutionary development models are better than the waterfall model, they are not as good as rapid prototyping in terms of bringing the operational viewpoint to the requirements specification.

Scenario-Based Questions, Answers, and Explanations

Use the following information to answer questions 1 through 11.

The RGO Company is undertaking a new business process that represents a 15 percent increase in volume and a 10 percent increase in the number of employees. The business is dependent on software to run remote processing. The new process needs to be tested fully before implementation. To maintain the stability of the current business and create a smooth transition to the new business process, the company is going to employ a system development life cycle (SDLC) methodology. RGO cannot afford to fail.

1. Security categorization is performed in which of the following phases of an SDLC methodology?

a. Initiation

b. Development/acquisition

c. Implementation

d. Operations/maintenance

1. a. Security categorization standards provide a common framework for expressing security needs. Categorization is based on an assessment of the potential impact (i.e., low, moderate, or high) that a loss of confidentiality, integrity, or availability of information systems would have on organizational operations, organizational assets, or individuals. It is a task performed in the initiation phase.

2. Security planning is performed in which of the following phases of an SDLC?

a. Initiation

b. Development/acquisition

c. Implementation

d. Operations/maintenance

2. b. Security planning ensures that agreed-upon security controls, whether planned or in place, are fully documented. It is a task performed in the development/acquisition phase.

3. Security certification and accreditation is performed in which of the following phases of an SDLC?

a. Initiation

b. Development/acquisition

c. Implementation

d. Operations/maintenance

3. c. Security certification ensures that the controls are effectively implemented through established verification techniques and procedures and gives an organization confidence that the appropriate safeguards and countermeasures are in place to protect the organization’s information systems. Security accreditation provides the necessary security authorization of an information system to process, store, or transmit information that is required. Both security certification and accreditation tasks are performed in the implementation phase.

4. Configuration management and control is performed in which of the following phases of an SDLC?

a. Initiation

b. Development/acquisition

c. Implementation

d. Operations/maintenance

4. d. Configuration management and control ensures adequate consideration of the potential security impacts due to specific changes to an information system or its surrounding environment. It is a task performed in the operation/maintenance phase.

5. Continuous monitoring is performed in which of the following phases of an SDLC?

a. Initiation

b. Development/acquisition

c. Implementation

d. Operations/maintenance

5. d. Continuous monitoring ensures that controls continue to be effective in their application through periodic testing and evaluation. It is a task performed in the operation/maintenance phase.

6. Media sanitization is performed in which of the following phases of an SDLC?

a. Development/acquisition

b. Implementation

c. Operations/maintenance

d. Disposition

6. d. Media sanitization ensures that data is deleted, erased, and written over as necessary. It is a task performed in the disposition phase.

7. Security controls and audit trails should be built into computer systems in which of the following SDLC phases?

a. System initiation phase

b. System development phase

c. System implementation phase

d. System operation phase

7. b. During the system development phase, the system is designed, purchased, programmed, developed, or otherwise constructed. During this phase, functional users with system/security administrators develop system controls and audit trails used during the operational phase.

8. A security evaluation report and an accreditation statement are produced in which of the following phases of the SDLC?

a. Requirements definition phase

b. Design phase

c. Development phase

d. Testing phase

8. d. Major outputs from the testing phase include the security evaluation report and accreditation statement. The purpose of the testing phase is to perform various tests (unit, integration, system, and acceptance). Security is tested to see if it works and is then certified.

9. Which of the following phases of a system development life cycle (SDLC) should not be compressed so much for the proper development of a prototype?

a. Initiation

b. Development/acquisition

c. Implementation

d. Operation/maintenance

9. c. System testing, which is a part of implementation, is important to determine whether internal controls and security controls are operating as designed and are in accordance with established policies and procedures.

In the prototyping environment, there is a tendency to compress system initiation, definition, design, programming, and training phases. However, the testing phase should not be compressed so much for quality reasons. By definition, prototyping requires some compression of activities and time due to the speedy nature of the prototyping development methodology without loss of the main features, functions, and quality.

10. The activity that would be different between a prototype development approach and the traditional system development approach is:

a. How activities are to be accomplished

b. What users need from the system

c. What a project plan should contain

d. How individual responsibilities are defined

10. a. Managers still need to define what they want from the system, some assessment of costs/benefits is still needed, and a plan to proceed with individual responsibilities is still required. The difference may be in the way activities are accomplished. The tools, techniques, methods, and approaches used in the prototype development project and traditional system development project are different.

11. A general testing strategy for conducting an application software regression testing includes which of the following sequence of tasks?