8 domain areas of the CISSP

1. Security Governance Through Principles and Policies

2. Asset Security
3. Security Architecture and Engineering
4. Communication and Network Security
5. Identity and Access Management
6. Security Assessment and Testing
7. Security Operations
8. Software Development Security
What are the four components of a complete organizational security policy and their
basic purpose?

The four components of a security policy are policies, standards, guidelines, and procedures.
Policies are broad security statements. Standards are definitions of hardware and software
security compliance. Guidelines are used when there is not an appropriate procedure.
Procedures are detailed step‐by‐step instructions for performing work tasks in a secure manner.

1. What is the difference between vulnerability and exposure?

The key difference between vulnerability and exposure in the context of information
security is:
Vulnerability:
A weakness or flaw in a system, application, or process that can be broken by a threat
actor.
Vulnerabilities exist within the system or environment, regardless of whether they are
being actively exploited.
Examples include software bugs, misconfigurations, lack of controls, etc.
Exposure:
The extent to which an asset or system is vulnerable to potential harm from a threat.
Exposure deals with the likelihood and potential impact of a vulnerability being
exploited.
Exposure considers factors like the accessibility of the vulnerable system, the value of
the assets, the capabilities of potential attackers, etc.
 In summary:
Vulnerability refers to the weakness itself.
Exposure refers to the risk or likelihood of that vulnerability being exploited and the
potential impact.
2. What is the difference between a threat agent and a threat source?
The main difference between a threat agent and a threat source is:
Threat Agent:
A threat agent is the entity, either human or non-human, that has the capability, intent
and opportunity to cause harm.
Threat agents are the actors or entities that can initiate or execute a threat.
Examples of threat agents include hackers, dissatisfied employees, natural disasters,
power failures, etc.
Threat Source:
A threat source is the origin or cause of a threat.
Threat sources are the factors or circumstances that provide the means for a threat agent
to carry out an attack.
Examples of threat sources include software vulnerabilities, weak access controls, lack
of training, outdated hardware, etc.
In summary:
Threat agent refers to the actor or entity that can carry out a threat.
Threat source refers to the origin that enables the threat agent to initiate the threat.
3. Identify the six components of an information system. Which are most directly affected by
the study of computer security? Which are most commonly associated with its study?
The six key components of an information system are:
1. Hardware - The physical computing equipment like servers, workstations,
networking devices, etc.
2. Software - The programs, operating systems, and applications that run on the
hardware.
3. Data - The information and content that is processed, stored, and transmitted by
the system.
4. Procedures - The policies, processes, and human activities involved in
operating the system.
5. People - The users, administrators, and other personnel who interact with the
system.
 6. Network - The communication links and infrastructure that connect the various
components.
Of these six components, the ones most directly affected by the study of computer
security are:
• Software - Securing applications, operating systems, and code against
vulnerabilities and attacks.
• Data - Protecting the confidentiality, integrity, and availability of information
assets.
• Network - Securing communication channels, network devices, and internet-
facing systems.
4. Who is ultimately responsible for the security of information in the organization?
In an organization, the ultimate responsibility for the security of information lies with
multiple stakeholders. While there may not be a single person solely responsible for
information security, different individuals and departments play crucial roles in
ensuring the confidentiality, integrity, and availability of data and systems. Here are the
key players responsible for information security:
1. Chief Information Security Officer (CISO) or Chief Security Officer (CSO): The
CISO or CSO is typically responsible for overseeing the organization's information
security program. They have a high-level role and are accountable for the
confidentiality, integrity, and availability of the company's information assets.
2. IT Professionals: IT professionals, including network administrators, system
administrators, and security analysts, are responsible for implementing and maintaining
security measures to protect the organization's information assets. They play a vital role
in setting up firewalls, encryption protocols, intrusion detection systems, and other
security technologies.
3. Employees: Every employee in the organization has a responsibility to ensure the
security of information. They should follow security policies and procedures, use strong
passwords, be careful of phishing attempts, and report any suspicious activities or
incidents to the appropriate authorities.
4. Management and Leadership: The organization's leadership, including the CEO,
board of directors, and senior management, should prioritize information security and
provide the necessary resources and support to implement effective security measures.
 They should also establish strong data protection policies and ensure compliance with
relevant regulations.
5. External Agencies and Consultants: Organizations may engage external agencies or
consultants specializing in information security to provide expertise, conduct security
audits, and assist in implementing security measures. These external entities can offer
valuable insights and help ensure the organization's security posture.
5. List and briefly describe the general categories of information security policy.

Information security policies can be broadly categorized into three main types, each
addressing a different aspect of information security:

1. Program Policies:
o Description: These are the high-level, overarching policies that set the tone
and direction for the entire information security program within the
organization.
o Focus: They establish the organization's commitment to information security,
outline the overall security goals, and provide a framework for developing
more specific policies.
o Example: An acceptable use policy that defines how employees can utilize
company technology resources.
2. Issue-Specific Policies:
o Description: These policies delve deeper into specific security concerns or
areas of risk. They provide detailed guidelines on how to address particular
security issues.
o Focus: They address specific threats, vulnerabilities, or compliance
requirements.
o Example: A data security policy outlining data classification schemes, access
controls, and encryption practices for sensitive information.
3. System-Specific Policies:
o Description: These policies provide granular security controls for specific
information systems or applications within the organization.
o Focus: They detail how security measures are implemented and configured for
particular systems or technologies.
o Example: A network security policy outlining firewall configurations, access
control lists, and intrusion detection system settings for the organization's
network.

6. Briefly describe strategic planning.

Strategic planning is the process an organization uses to define its long-term goals and
establish how to achieve them. It's essentially a roadmap that outlines the organization's
desired future state and the steps needed to get there. Here are some key aspects of strategic
planning:
 • Setting the Vision and Mission:
o This involves defining the organization's purpose (mission) and what it aspires
to become in the long term (vision).
• Understanding the Environment:
o Analyzing internal strengths and weaknesses (SWOT analysis) and external
opportunities and threats helps identify factors that can impact the
organization's success.
• Goal Setting:
o Based on the vision and understanding of the environment, specific,
measurable, achievable, relevant, and time-bound (SMART) goals are
established.
• Developing Strategies:
o This involves creating action plans that outline how the organization will
achieve its goals. Strategies might involve product development, market
expansion, operational improvements, or technological advancements.
• Resource Allocation:
o Strategic plans guide the allocation of resources (financial, human,
technological) to support the chosen strategies.
• Monitoring and Evaluation:
o Progress is tracked, and the plan is adjusted as needed to ensure it remains
relevant and effective in the ever-changing environment.

Strategic planning is an ongoing process, not a one-time event. It should be revisited and
updated periodically to reflect evolving circumstances and ensure the organization stays on
track for long-term success.

7. List and briefly describe the levels of planning.

In the context of organizations, there are typically three main levels of planning that work
together to achieve overall goals:

1. Strategic Planning:
o Focus: Long-term (3-5+ years) vision and direction.
o Description: Sets the organization's overall goals, defines its mission and
vision, analyses the competitive environment, and identifies opportunities and
threats.
o Who's Involved: Typically, upper management and executives.
o Outcome: A high-level roadmap for the organization's future direction.
2. Tactical Planning:
o Focus: Mid-term (1-3 years) translating strategy into action.
o Description: Develops specific action plans to achieve strategic goals.
Identifies resources needed, assigns responsibilities, and establishes timelines.
o Who's Involved: Middle management and department heads.
o Outcome: Detailed roadmaps for departments to execute the overall strategy.
3. Operational Planning:
o Focus: Short-term (weeks, months, quarters) on day-to-day activities.
o Description: Creates specific steps and procedures to carry out tactical plans.
Focuses on efficient use of resources and addresses daily tasks.
o Who's Involved: Lower-level managers, supervisors, and individual
employees.
 o Outcome: Clear instructions and procedures for daily operations that support
departmental and organizational goals.

These levels are interconnected. Strategic planning lays the groundwork, tactical planning
translates that vision into actionable steps, and operational planning ensures smooth
execution of the tactical plans. They function together to achieve the organization's long-term
objectives.

8. What are the differences between a policy, a standard, and a practice? Where would each
be used?
Differences between a policy, a standard, and a practice:
Policy:

➢ Definition: A policy is a written instruction that describes proper behavior and sets
out the rules and guidelines that individuals or organizations must follow.
➢ Purpose: Policies provide a framework for decision-making and guide actions to
ensure consistency, compliance, and accountability.
➢ Use: Policies are used to establish the overall direction and principles of an
organization, define acceptable behavior, and communicate expectations to
employees and stakeholders.
Standard:
➢ Definition: A standard is a detailed statement that specifies what must be done to
comply with a policy. It provides specific requirements, criteria, or specifications
that must be met.
➢ Purpose: Standards provide a level of uniformity and consistency in processes,
procedures, and practices. They serve as benchmarks for measuring performance
and ensuring quality and compliance.
➢ Use: Standards are used to establish specific guidelines, procedures, and technical
specifications that must be followed to achieve the objectives set out in the policy.
They provide a framework for implementation and evaluation.
Practice:
➢ Definition: A practice refers to the actual actions or behaviors that individuals or
organizations engage in to comply with policies and standards. It represents the
practical application of policies and standards in real-world situations.
 ➢ Purpose: Practices ensure that policies and standards are effectively implemented
and followed. They represent the day-to-day activities and behaviors that align with
the desired outcomes of the policies and standards.
➢ Use: Practices are used to guide individuals or organizations in their actions and
decision-making processes. They provide examples of specific actions or behaviors
that comply with the policies and standards.
Imagine building a house.
• The policy is the overall vision for the house (e.g., two-story, modern design).
• The standards are the specific details like building materials (e.g., concrete footing,
brick exterior).
• The practice is the actual construction process followed by the builders (e.g., pouring
the foundation, laying the bricks
9. What is needed for an information security policy to remain viable?
An information security policy needs several key elements to ensure it remains viable and
effective over time:
Regular Review and Updates:
• The security landscape constantly evolves, with new threats and vulnerabilities
emerging.
• Policies need to be reviewed and updated periodically to reflect these changes.
• This ensures the policy continues to address current risks and provides adequate
protection.
Alignment with Business Needs:
• Information security shouldn't exist in a vacuum.
• The policy should be aligned with the organization's overall business goals and
objectives.
• Striking a balance between security controls and operational efficiency is crucial.
User Awareness and Training:
• Even the best policies won't be effective if employees aren't aware of them or don't
understand their importance.
• Ongoing security awareness training programs are essential for educating employees
about the policy, best practices, and potential threats.
Management Commitment and Enforcement:
• Strong leadership commitment from the top demonstrates the importance of
information security throughout the organization.
 • Consistent enforcement of the policy ensures everyone understands the expectations
and consequences of non-compliance.
Testing and Evaluation:
• Regularly testing the security controls outlined in the policy helps identify any
weaknesses or vulnerabilities.
• This allows for proactive measures to be taken before a real security incident occurs.
• Evaluating the effectiveness of the policy as whole helps determine if it's achieving its
intended goals.
Flexibility and Adaptability:
• The ability to adapt to changing circumstances is vital.
• New technologies, regulations, and business processes can all impact information
security needs.
• The policy should be flexible enough to accommodate these changes while maintaining
its core security principles.
By focusing on these elements, organizations can develop and maintain information
security policies that are not only effective but also remain viable in the face of an ever-
changing threat landscape.
10. What is Défense in depth?
Défense in depth, also known as Défense in Depth, is an information security strategy that
involves implementing multiple layers of security controls to protect against various types
of threats and attacks. It is based on the principle that no single security measure can
provide complete protection, so a combination of measures is necessary to create a strong
and resilient Défense.
Key aspects of Défense in depth include
1. Layered Security: Défense in depth emphasizes the use of multiple layers or tiers
of security controls. Each layer adds an additional barrier to protect against potential
threats. If one layer is breached, the subsequent layers provide additional protection.
2. Multiple Défense Mechanisms: Défense in depth employs a variety of security
mechanisms, such as firewalls, intrusion detection systems, antivirus software,
access controls, encryption, and monitoring tools. These mechanisms work together
to provide a comprehensive Défense against different types of attacks.
3. Défense at Different Levels: Défense in depth is implemented at various levels
within an organization's infrastructure, including network, system, application, and
 data levels. Each level has its own set of security controls and measures to protect
against specific threats.
4. Redundancy and Resilience: Défense in depth incorporates redundancy to ensure
that if one security control fails, there are backup measures in place to maintain
security. This redundancy enhances the resilience of the overall security posture.
5. Défense-in-Depth Principles: Défense in depth follows certain principles, including
the principle of least privilege (giving users only the necessary access rights),
separation of duties (dividing responsibilities to prevent abuse of privileges), and
continuous monitoring and improvement of security measures.
By implementing Défense in depth, organizations can create a more robust and effective
security posture, reducing the risk of successful attacks and minimizing the potential impact
of any breaches.
11. Define and briefly explain the SETA program and what it is used for.
SETA stands for Security Education, Training, and Awareness. It's a comprehensive
program designed to educate users about cybersecurity best practices and raise awareness
of potential security threats within an organization.
Here's a breakdown of the key components of a SETA program:
• Security Education: This involves teaching users the fundamentals of cybersecurity,
including password management, social engineering tactics, and how to identify
phishing attempts.
• Security Training: This provides more in-depth training on specific security
procedures and tools relevant to the user's role within the organization.
• Security Awareness: This ongoing process aims to keep users informed about current
threats and vulnerabilities, promoting a culture of security consciousness throughout
the organization.
Benefits of a SETA program:
• Reduced Risk of Human Error: Educated and aware employees are less likely to fall
victim to phishing attacks, social engineering scams, or accidentally introduce malware
through unsafe practices.
• Improved Incident Response: Employees who are familiar with security protocols
can identify and report suspicious activity more effectively, enabling a faster response
to security incidents.
• Enhanced Compliance: A well-designed SETA program can help organizations meet
regulatory requirements related to data security and privacy.
 • Stronger Security Culture: By fostering a culture of security awareness, employees
become more invested in protecting the organization's information assets.
Overall, a SETA program is a critical component of any organization's cybersecurity
strategy. By educating and empowering users, organizations can significantly reduce their
security risks and create a more secure IT environment.
12. What is security training?
Security training is a specific component of a broader Security Education, Training, and
Awareness (SETA) program. It focuses on providing users with the knowledge and skills
necessary to perform their jobs securely within an organization. Here's a breakdown of
what security training entails:
Focus:
• In-depth instruction on security procedures and tools relevant to a user's role.
• It goes beyond general security awareness to equip users with practical skills to
implement security best practices.
Content:
• Can vary depending on user roles and responsibilities.
• For example, training for IT professionals might cover advanced security concepts,
system hardening techniques, and incident response procedures.
• For general employees, training might focus on password management, identifying
phishing attempts, and reporting suspicious activity.
Delivery Methods:
• Can be delivered in various formats, including:
o Online modules
o In-person workshops
o Interactive simulations
o On-the-job training
Benefits:
• Equips users with the skills to actively participate in the organization's security posture.
• Empowers users to make informed decisions regarding security practices relevant to
their daily tasks.
• Reduces the risk of human error contributing to security incidents.
13. Describe the strategy of risk transfer and risk mitigation.
Risk transfer and risk mitigation are two fundamental strategies used in information
security risk management to address potential threats and vulnerabilities to an
organization's information assets. Here's a breakdown of each strategy:
Risk Transfer:
• Concept: This strategy involves shifting the financial burden or responsibility for a risk
to a third party.
• How it Works: Organizations can transfer risk through various methods:
o Insurance: Purchasing cyber insurance can transfer the financial burden of a
cyberattack to the insurance company.
o Outsourcing: By outsourcing data storage or specific IT functions to a
reputable provider, the associated security risks become partly the responsibility
of the outsourced service provider.
o Vendor Contracts: Contracts with vendors can stipulate that the vendor takes
on some liability for security breaches caused by their products or services.
Risk Mitigation:
• Concept: This strategy focuses on reducing the likelihood or impact of a security threat
or vulnerability.
• How it Works: Organizations can implement various mitigation strategies:
o Security Controls: Installing firewalls, intrusion detection systems, data
encryption, and access controls can significantly reduce the likelihood of
successful attacks.
o Security Awareness Training: Educating employees about cybersecurity best
practices helps them identify and avoid threats like phishing attempts.
o Patch Management: Regularly applying security patches to software and
systems addresses known vulnerabilities and reduces exploitability.
14. Describe residual risk.
Residual risk refers to the level of risk that remains after an organization has implemented
risk mitigation measures and controls to address potential threats and vulnerabilities. It
represents the risk that cannot be completely eliminated or reduced through these measures.
Residual risk is an important concept in risk management and is considered in various
contexts, including compliance requirements and decision-making processes.
15. What are the common approaches to implement the mitigation risk treatment strategy?

There are four, common approaches to implement the mitigation risk treatment strategy. Here's
a breakdown of each:

1. Risk Avoidance: This approach prioritizes completely eliminating the risk. Here's
how it works:
o Focus: Completely remove the threat or vulnerability from the equation.
o Example: If using a cloud storage service poses a security risk for a specific
type of data, the organization might avoid that risk altogether by storing that
data on-premises with stricter physical controls.
2. Risk Reduction: This approach aims to minimize the likelihood or impact of a
security threat. Here's how it works:
o Focus: Implement controls and procedures to make a successful attack more
difficult or lessen the potential damage.
o Example: Installing firewalls, intrusion detection systems (IDS), and data
encryption can significantly reduce the likelihood of a successful cyberattack.
3. Risk Transfer: This approach involves shifting the financial burden or responsibility
for a risk to a third party. Here's how it works:
o Methods:
▪ Insurance: Purchasing cyber insurance can transfer the financial
burden of a cyberattack to the insurance company.
▪ Outsourcing: By outsourcing data storage or specific IT functions to a
reputable provider, the associated security risks become partly the
responsibility of the outsourced service provider.
▪ Vendor Contracts: Contracts with vendors can stipulate that the
vendor takes on some liability for security breaches caused by their
products or services.
4. Risk Acceptance: This approach acknowledges a risk and chooses to tolerate it
without taking further action to mitigate it. Here's how it works:
o Criteria: The risk is deemed acceptable based on factors like likelihood,
potential impact, and the cost of mitigation compared to the value of the asset.
o Example: The cost of implementing additional security controls for a low-
value asset with a minimal potential impact from a security breach might be
deemed too high. In such a case, the organization might choose to accept the
residual risk.

16. What is a disaster recovery plan, and why is it important to the organization?

A disaster recovery plan (DRP) is a documented strategy outlining the steps an organization
will take to recover its IT infrastructure and data after a disruptive event. It's essentially a
roadmap that guides the organization's response to ensure business continuity in the face of
disasters, both natural and human-caused.

Here's why a DRP is crucial for any organization:

 • Minimizes Downtime and Data Loss: A well-defined DRP ensures a quicker
recovery from disasters, minimizing downtime and potential data loss. This translates
to reduced financial impact and reputational damage.
• Maintains Business Continuity: By having a plan in place, organizations can resume
critical operations more quickly, preventing significant disruptions to their core
business functions.
• Improves Decision-Making: The DRP provides a clear course of action during a
crisis, enabling faster and more informed decisions under pressure.
• Enhances Preparedness: Developing and maintaining a DRP promotes a culture of
preparedness within the organization, ensuring everyone understands their roles and
responsibilities in the event of a disaster.
• Regulatory Compliance: Certain industries have regulations that mandate the
existence and regular testing of a DRP.

17. What is a business continuity plan, and why is it important?

A business continuity plan (BCP) is a strategic roadmap that outlines how an organization
will respond to and recover from disruptions to its operations. It goes beyond just IT
infrastructure and data recovery, considering the bigger picture of the entire business.
Here's why a BCP is crucial for any organization:
• Prepares for a Wider Range of Disruptions: A BCP encompasses a broader scope
than a disaster recovery plan (DRP) which focuses primarily on IT systems. It considers
various disruptive events, including natural disasters, cyberattacks, power outages, and
even pandemics.
• Ensures Business Continuity: The BCP outlines how critical business functions will
be maintained during and after a disruption. This could involve implementing
alternative work arrangements, utilizing backup resources, or activating supplier
redundancy plans.
• Minimizes Downtime and Financial Losses: By having a plan for swift recovery,
organizations can minimize downtime and the associated financial losses caused by
disruptions.
• Protects Reputation: A swift and effective response to a crisis can help maintain
customer and stakeholder confidence, minimizing reputational damage.
• Improves Decision-Making: The BCP provides a clear framework for decision-
making during a crisis, enabling leaders to react quickly and efficiently.
• Enhances Employee Morale: A well-communicated BCP can help employees feel
more prepared and confident in the organization's ability to handle disruptions.
Analogy:
 Imagine a BCP as a recipe for business resilience. It outlines the ingredients (resources,
procedures) and steps needed to overcome various challenges (disruptions) and ensure the
business continues to function (baked good). Just like a recipe helps you adapt to missing
ingredients or unexpected situations, a BCP allows organizations to adapt their response to
different disruption scenarios.
Key Differences Between BCP and DRP:
While both BCP and DRP are crucial for organizational preparedness, there are key
distinctions:
• Scope: BCP has a broader scope, encompassing all aspects of the business, while DRP
focuses on IT infrastructure and data recovery.
• Focus: BCP emphasizes maintaining critical business functions, while DRP
emphasizes recovering IT systems and data.
• Activities: BCP might involve activating communication plans, securing physical
assets, or relocating operations, whereas DRP focuses on restoring data and IT systems.
In conclusion, a BCP is an essential tool for ensuring an organization's ability to
weather storms and maintain its operations in the face of disruptions. It complements
a DRP by providing a comprehensive strategy for business resilience.
18. What is a business impact analysis, and what is it used for?
A business impact analysis (BIA) is a systematic process used to predict and evaluate the
potential consequences of a disruption to a business. It gathers information necessary for
developing recovery strategies. A BIA is typically conducted as part of the business
continuity planning (BCP) or disaster recovery planning (DRP) process.
The objective of a BIA is to identify and assess the potential effects of an interruption to
critical business operations caused by a disaster, accident, or emergency. It helps
organizations understand the impact of such disruptions and prioritize their recovery
efforts. A BIA provides valuable insights into the essential functions, systems, staff, and
technology resources required for optimal business operations. It also attempts to quantify
the financial and nonfinancial costs associated with a disaster and estimates the time
required to recover each business function to minimize operational impacts.
Here are the key steps involved in conducting a BIA
1. Prepare for the BIA project: Secure approval from senior management, form a
trained team, and develop a detailed BIA plan.
 2. Gather relevant information: Collect data through questionnaires, interviews, or
existing documentation. Identify mission-critical applications, business processes,
resources, and dependencies.
3. Evaluate and analyze the data: Review the collected data, identify critical business
processes, and determine the impact of their disruption using performance metrics
such as recovery time objective (RTO), recovery point objective (RPO), and
maximum tolerable downtime (MTD).
4. Prepare a report: Document the findings of the BIA, including potential losses,
recovery recommendations, legal and regulatory requirements, and recovery
priorities.
5. Present the results to senior management: Discuss the findings with senior
managers, who can then use the BIA report to develop the BCP and DRP.
A BIA is an essential tool for organizations to understand the potential impacts of
disruptions and develop effective strategies for recovery and restoration of critical business
functions. It helps organizations prioritize their resources and investments to minimize the
impact of unplanned events.
19. What is the difference between law and ethics?
Law and ethics are two distinct concepts that govern human behavior, but they differ in
their nature, scope, and enforcement. Here's a brief explanation of the difference between
law and ethics:
Law:
➢ Nature: Law refers to a system of rules and regulations established by a governing
authority, such as a government or legislative body. It is a formal and codified set
of rules that are enforceable by the legal system.
➢ Scope: Laws are generally applicable to a specific jurisdiction and are designed to
regulate various aspects of society, including behavior, relationships, rights, and
obligations.
➢ Enforcement: Laws are enforced by the government through the legal system.
Violations of the law can result in penalties, such as fines, imprisonment, or other
legal consequences.
Ethics:
➢ Nature: Ethics, on the other hand, refers to a set of moral principles and values that
guide individual or collective behavior. It is a subjective and personal framework
that helps individuals determine what is right or wrong, good or bad.
 ➢ Scope: Ethics is broader in scope and encompasses personal beliefs, values, and
moral judgments. It extends beyond legal requirements and addresses questions of
morality, fairness, and integrity.
➢ Enforcement: Ethics is not enforced by a governing authority or legal system. It
relies on individuals' internal moral compass, societal norms, and professional
codes of conduct. Violations of ethical principles may result in reputational damage,
loss of trust, or social consequences.
In summary, law is a formal system of rules established by the government and enforced
by the legal system, while ethics refers to personal or collective moral principles that guide
behavior and decision-making. While laws provide a minimum standard of conduct, ethics
sets higher standards based on personal values and societal expectations.
20. What is a methodology in the context of implementing secure systems?
In the context of implementing secure systems, a methodology refers to a systematic
approach or framework that guides the process of developing and implementing secure
systems. It provides a structured and organized way to address security requirements,
identify potential vulnerabilities, and implement appropriate security measures. A
methodology helps ensure that security is considered throughout the entire system
development lifecycle, from the initial planning and design stages to the implementation,
testing, and maintenance phases.
21. What is a systems development life cycle (orSDLC)
A systems development life cycle (SDLC) is a conceptual model used in project
management to describe the stages involved in developing an information system. It
provides a structured approach to the development process, from the initial feasibility study
to the maintenance of the completed application.