Certified in Risk and Information Systems Control (CRISC) — Question 1105

Which of the following MOST effectively ensures controls are built into applications during development?

Answer options

• A. Independent post-implementation reviews of system development projects by internal audit
• B. Static code scanning throughout the systems development life cycle (SDLC)
• C. Dynamic security testing before applications move to production
• D. Engagement of security team early in the systems development life cycle (SDLC)

Correct answer: D

Explanation

Engaging the security team early in the SDLC allows for proactive identification and integration of security controls, which is the most effective approach. While post-implementation reviews, static code scanning, and dynamic testing are important, they are reactive measures that cannot ensure security is built in from the start.