A new online bank is developing its core system to support internet banking. Business staff considers the system should be submitted for certification after being fully tested, while the IT team insists the system should be released for evaluation and improved per the feedback. However, the IT’s approach results in that the CEO stepped down because the core system cannot meet the minimum security requirements and keeps failing to get the authorization to operate from the regulatory agency. Which of the following development approaches should have been implemented to avoid the failure?
A. Waterfall
B. Incremental development
C. Agile
D. Continuous delivery

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is A. Waterfall.

The business staff understands more about the regulatory requirements and the market, so both IT and security functions should align with the business requirement, “the system should be submitted for certification after being fully tested.”

• The regulatory agency typically promulgates specific compliance requirements and C&A processes. The waterfall is plan-driven and suitable for projects with specific requirements, which is still widely adopted. The project life cycle decision can be made based on the well-known Stacey matrix, as shown in the diagram above.
• Moreover, Agile is not a silver bullet; it fits the context with a high degree of uncertainty or complexity. Since the IT team has followed the Agile approach that typically involves incremental development (value) and continuous delivery (automation), but that’s not working and results in the CEO’s resignation. As a result, the waterfall should have been implemented to solve the problem.

Agile

Agile is a mindset that comprises a set of values, principles, and practices. It emphasizes delivering working software/value (aka “increment” in Scrum), people collaboration, and risk adaptation.

• Incremental development is part of Agile. It refers to frequent releases to deliver value and adapt to risk.
• Continuous delivery, a common practice adopted in Agile, implies an “automated” workflow of software development to accelerate the delivery of working software.
• “Iteration” and “increment” are the crucial concept of Agile to deliver working software (value) frequently. Agile development is a combination of iterative and incremental development.

Reference

• Manifesto for Agile Software Development
• Paving the path of Scrum Adoption: (2) Product People
• CISSP PRACTICE QUESTIONS – 20201119
• CISSP PRACTICE QUESTIONS – 20201228
• CISSP PRACTICE QUESTIONS – 20200423

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

• It is available on Amazon.
• Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.

一家新的純網銀正在開發其核心系統，以支持網銀業務。業務人員認為系統應在經過全面測試後再提交驗證(certification)，而IT團隊則堅持應先發布系統以進行評估，再根據反饋進行改進。 但是，IT部門的方法導致CEO辭職，因為核心系統無法滿足最低的安全要求，並且始終無法從監管機構獲得運營許可。當初應該採用以下哪種開發方法來避免這樣的失誤？
A. Waterfall
B. Incremental development
C. Agile
D. Continuous delivery