Explanation: Understanding whether application development is performed internally or outsourced is critical to assessing the security practices applied during development. Internal teams may adhere to organizational standards, while third-party developers may require additional scrutiny.

Risks of Incorrect Answer: Lack of visibility into third-party development practices.

Security vulnerabilities introduced during development phases.

Non-compliance with industry or client-specific security requirements.

Applicable Frameworks: NIST SP 800-64: Focuses on integrating security into the SDLC.

ISO 27001 (A.15.1.1): Addresses supplier relationships, including outsourced development

Explanation: A secure SDLC ensures that security is embedded throughout the application development process, from requirements gathering to deployment and maintenance. This reduces vulnerabilities and ensures compliance with security standards.

Risks of Incorrect Answer: Development of applications with unaddressed security flaws.

Increased costs for post-deployment fixes.

Data breaches resulting from insecure applications.

Applicable Frameworks: NIST SP 800-64: Provides guidance on secure software development.

ISO 27034: Focuses on application security controls within the SDLC.

OWASP SAMM (Software Assurance Maturity Model): Covers security during development phases.

Explanation: Classifying applications by risk level ensures that security measures are proportional to the sensitivity of the data they handle. High-risk applications require more stringent controls than low-risk ones

.

Risks of Incorrect Answer: Failure to apply adequate security controls to critical applications.

Misclassification of applications leading to resource misallocation.

Breaches involving highly sensitive data due to insufficient protections.

Applicable Frameworks: ISO 27001 (A.8.2.1): Covers classification of information.

NIST CSF (ID.RA-2): Involves risk assessment processes.

HIPAA: Requires risk assessments for systems accessing PHI