According to the NIST SDLC, which of the following is the first security activity that should be conducted before authorizing an information system to operate??
A. Assess risk to the system
B. Assess business impact
C. Assess system security
D. Review operational readiness
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is B. Assess business impact.
Source: NIST SP 800-64R2
Hi Wentz
Thank you for your selflessly sharing knowledge. The answer makes me a little confused…
“authorizing an information system” = SDLC Phase 3 (4.authorizing the information system) ?
It should be Phase 3 (3. Assess System Security) before “authorizing the information system” ?
There are many activities that should be done before authorizing an information system, but the question is asking about the “first,” not the one right before authorization. Pls don’t hesitate to let me know when in doubt. Thanks for your comment.
Thanks for creating such wonderful (often conceptual) Qs. This question seems to be presented in an over-complicated way. Answering this relies more on memory than understanding. Not something CISSP exam would actually do (just a thought).
Thanks for your feedback, Wangdi. I agree with you. Frankly, I designed questions primarily to invite thinking and research, but not to simulate the real exam. I hope the topics behind each question can be discovered and explored.