The correct answer isDbecause controls should be specified during therequirements definitionstage of the SDLC. At this point, business, security, and control requirements are identified and documented so they can be designed into the system from the beginning rather than added later.
The other options are less appropriate:
A. project initiationbegins the project, but detailed control specification occurs later when requirements are defined.
B. business case developmentjustifies the project but does not specify controls in sufficient detail.
C. system integration testingis used to test implemented controls, not to specify them.
Exact Extracts supporting the answer:
“The system development life cycle stage MOST suitable for incorporating internal controls is design.”
“In the system development life cycle the risk practitioner should first become involved during the planning phase.”
“Initiation is the phase in the system development life cycle where risk related to system requirements should be determined.”
“Before moving on to the system design phase it MUST be accomplished that the risk associated with the proposed system and controls is accepted by management.”
These extracts show that controls must be identified before design and implementation, and among the answer choices,requirements definitionis the correct stage for specifying them.
===========
