Exam CISSP topic 1 question 37 discussion

It can't be D or anything where testing or validation is mentioned. as validation or testing are not part of the design but part of the next phase - implementation.

he answer is A. Proper security controls, security objectives, and security goals are properly initiated. The security design process in the SDLC is focused on ensuring that security is baked into the system from the very beginning. This includes:   Initiating security objectives and goals: Clearly defining the security objectives and goals for the system. Defining security controls: Identifying and implementing appropriate security controls to protect the system and its data.   Ensuring proper initiation: Making sure that these security measures are properly initiated and integrated into the development process. While other options may involve important aspects of the SDLC, they do not accurately capture the core focus of the security design process, which is to establish a strong security foundation from the outset.

In the context of the security design process within the System Development Life Cycle (SDLC), both option A and option D have their merits, but it ultimately depends on the specific needs and requirements of the organization. Option A: Proper security controls, security objectives, and security goals are properly initiated emphasizes the importance of ensuring that the appropriate security controls, objectives, and goals are identified and initiated during the security design process. This option highlights the need for a proactive approach in implementing security measures from the early stages of system development. Option D: Security goals, proper security controls, and validation are properly initiated adds the aspect of validation to the mix. It emphasizes the importance of not only setting security goals and implementing security controls but also ensuring that these controls are validated to ensure their effectiveness and alignment with the desired security objectives. both are valid, as i said earlier, it all depend on the requirements or the need of the company/organization.

I think A...

A. Proper security controls, security objectives, and security goals are properly initiated. The security design process within the System Development Life Cycle (SDLC) ensures that proper security controls, security objectives, and security goals are properly initiated. This includes identifying and assessing risks, and implementing controls to mitigate those risks. The security design process is a critical step in ensuring the security and integrity of a system throughout its lifecycle.

Eliminate options B and C as system test and fault mitigation are not security specific and already done somewhere in SDLC. Option D is better than A as it validates security which ends a process. Answer is D.

Poorly worded question . The key differentiator here is the term "Objectives" that makes A a winner .

Think it's A.

A is correct answer imo.

It's A, all others are from "Implementation" phase

A & D are "initiated" B & C are "conducted" The secure design process relates to some kind of initiation, so I eliminate B and C A - Aren't security goals and objectives are same? B - but how can validation be part of the process? Thoughts?

MAAAAAAAAAYYYBBBBEEEEE "D" - Only because it has validation in it. I am thinking as they develop the software they will keep validating and testing the software for bugs and fixing them as the go. https://snyk.io/learn/secure-sdlc/ Implementing SDLC security affects every phase of the software development process. It requires a mindset that is focused on secure delivery, raising issues in the requirements and development phases as they are discovered. This is far more efficient—and much cheaper—than waiting for these security issues to manifest in the deployed application. Secure software development life cycle processes incorporate security as a component of every phase of the SDLC. While building security into every phase of the SDLC is first and foremost a mindset that everyone needs to bring to the table, security considerations and associated tasks will actually vary significantly by SDLC phase.

really?