Exam CISSP topic 1 question 316 discussion

B appears to be the better answer. Thoughts ?

The initial security categorization for the information and the information system should be done during the initiation phase of the system development life cycle along with an initial risk assessment. The initial risk assessment defines the threat environment in which the information system will operate and includes an initial description of the basic security needs of the system. https://csrc.nist.gov/csrc/media/projects/risk-management/documents/categorize/faq-categorize-step1.pdf

Answer B) The initial security categorization for the information and the system is performed during the initiation phase of the system development life cycle along with an initial security risk assessment. The initial risk assessment defines the threat environment in which the system operates and includes an initial description of the basic security needs of the system. https://csrc.nist.gov/CSRC/media/Projects/risk-management/documents/02-Categorize%20Step/NIST%20RMF%20Categorize%20Step-FAQs.pdf A is wrong as it doesn't determine functional and operational requirements. C is wrong as no one was talking about getting any certification/accreditation for the application D is wrong as some system engineering processes may or may not be dependent on selected security controls.

C. It affects other steps in the certification and accreditation process. The correct categorization of a system's security level is crucial because it has a cascading effect on various aspects of the system's development, implementation, and management. When the initial security categorization is done correctly, it helps in determining the appropriate security requirements, selecting the necessary security controls, and defining the overall security posture of the system. Additionally, it impacts other steps in the certification and accreditation process, such as risk assessments, security control selection, and the development of security documentation. Incorrect categorization can lead to inadequate security measures or overburdening the system with unnecessary security controls, both of which can have serious consequences for the system's effectiveness and efficiency. Therefore, getting the initial security categorization right is a critical foundational step in the security lifecycle of a system.

The correct answer is B. Explanation: The initial security categorization helps to determine the security requirements for the system. These requirements will guide the selection, implementation, and testing of security controls. If the initial security categorization is not done correctly, the system may not be adequately protected against threats and vulnerabilities. It is important to periodically review the security categorization to ensure that it remains appropriate as the system evolves over time.

C. It affects other steps in the certification and accreditation process.

For me: B sounds technical perspective answer C sounds business perspective answer

As per 6. DURING WHICH PHASE OF THE SYSTEM DEVELOPMENT LIFE CYCLE SHOULD A NEW SYSTEM BE CATEGORIZED? in here https://csrc.nist.gov/csrc/media/projects/risk-management/documents/categorize/faq-categorize-step1.pdf I would go with B.

for me D, sounds better., as it fullfil the integration of security from beginning.