Certified in Risk and Information Systems Control (CRISC) — Question 355

Which of the following will BEST ensure that information security risk factors are mitigated when developing in-house applications?

Answer options

• A. Include information security control specifications in business cases.
• B. Identify key risk indicators (KRIs) as process output.
• C. Identify information security controls in the requirements analysis.
• D. Design key performance indicators (KPIs) for security in system specifications.

Correct answer: C

Explanation

Option C is correct because identifying information security controls during the requirements analysis phase ensures that security measures are integrated from the beginning of the application development process. Options A, B, and D, while relevant, do not address the foundational requirements stage where security controls should be explicitly defined.