The required components for implementing software configuration management systems are audit control and signoff, rollback and recovery processes, and regression testing and evaluation. Software configuration management systems are tools and techniques that enable the identification, control, tracking, and verification of the changes and versions of software products throughout the software development life cycle. Audit control and signoff are the mechanisms that ensure that the changes and versions of the software products are authorized, documented, reviewed, and approved by the appropriate stakeholders. Rollback and recovery processes are the procedures that enable the restoration of the previous state or version of the software products in case of a failure or error. Regression testing and evaluation are the methods that verify that the changes and versions of the software products do not introduce new defects or affect the existing functionality or performance. User training and acceptance are not required components for implementing software configuration management systems, as they are related to the deployment and operation of the software products, not the configuration management. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 8, Software Development Security, page 1037. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 8, Software Development Security, page 1063.

Explanation/Reference:
Explanation:
The security department would be busy in the development phase as it includes the follow security related activities:
Security functional requirements analysis

Identifies the protection levels that must be provided by the system to meet all regulatory, legal, and policy compliance needs.
Security assurance requirements analysis

Identifies the assurance levels the system must provide. The activities that need to be carried out to ensure the desired level of confidence in the system are determined, which are usually specific types of tests and evaluations.
Security plan

Documented security controls the system must contain to ensure compliance with the company's security needs.
Security test and evaluation plan

Outlines how security controls should be evaluated before the system is approved and deployed.
Incorrect Answers:
A: It would be too late to involve the security department during the implementation phase.
B: It would be too late to involve the security department during Testing Phases including the System Testing phase.
C: It would be too late to involve the security department during the Unit Testing phase.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 1091

Explanation/Reference:
Explanation:
Cryptanalysis is the act of obtaining the plaintext or key from the ciphertext. Cryptanalysis is used to obtain valuable information and to pass on altered or fake messages in order to deceive the original intended recipient. This attempt at "cracking" the cipher is also known as an attack.
In a Known Plaintext attack, the attacker has both the plaintext and the associated ciphertext of several messages.
Incorrect Answers:
A: In a known plaintext attack, the attacker does not have the key.
B: In a known plaintext attack, the attacker does not have the secret key.
D: In a known plaintext attack, the attacker does not have the algorithm.
Krutz, Ronald L. and Russel Dean Vines, The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, New York, 2001, p. 154

Section: Security Operations