Your company decides to start the business of selling toys online and shipping globally. A team in-house is in charge of developing an E-Commerce system that supports the new business. The project team has finished business and privacy impact analysis. Which of the following security activity should be conducted next?
A. Assess system security
B. Create a detailed plan for certification and accreditation (C&A)
C. Assess risk to the system
D. Review operational readiness

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Assess risk to the system.

This question is designed to remind CISSP aspirants of the importance of the security activities in the system development life cycle (SDLC). Please refer to the following table for details:

Source: NIST SP 800-64 R2

http://www.humanresources4u.com/blog/2011/06/06/contingent-job-offers/