CHAPTER 4
IT Life Cycle Management
This chapter covers CISA Domain 3, “Information Systems Acquisition, Development, and Implementation,” and includes questions from the following topics:
• Program and project management
• The systems development life cycle (SDLC)
• Infrastructure development and implementation
• Maintaining information systems
• Business processes and business process reengineering
• Managing third-party risk
• Application controls
The topics in this chapter represent 12 percent of the CISA examination.
To provide effective audits of an organization’s information systems and related business processes, the IS auditor needs to understand how organizations develop and/or acquire information systems. The systems development life cycle (SDLC) has undergone significant changes in the past several years, as organizations are migrating away from developing line-of-business applications and instead are users of commercial off-the-shelf (COTS) software or Software-as-a-Service (SaaS) software. Regardless, the core components of an SDLC are largely unchanged in terms of feasibility study, requirements, testing, and implementation. As all of these forms of software development and acquisition are common today, IS auditors need to have a broad understanding of all of the forms of SDLC.
Q QUESTIONS
1. What is the best reason for considering a proof of concept?
A. The system being considered is too expensive to implement all at once.
B. The system being considered will be a fully customized solution.
C. The system being considered is too complicated to evaluate fully.
D. The system being considered is not yet available.
2. A formal process whereby the organization gathers all business and technical requirements and forwards them to several qualified vendors, who then respond to them, is called:
A. Request for information (RFI)
B. Request for proposals (RFP)
C. Request for evaluation (RFE)
D. Request for quote (RFQ)
3. An organization that wishes to acquire IT products or services that it fully understands should issue what kind of document?
A. Request for proposals (RFP)
B. Request for information (RFI)
C. Statement of work (SOW)
D. Bid schedule
4. Which SEI CMM maturity level states that there is some consistency in the ways that individuals perform tasks from one time to the next, as well as some management planning and direction to ensure that tasks and projects are performed consistently?
A. Initial
B. Defined
C. Repeatable
D. Managed
5. At what stage in the acquisition process should a project team develop requirements?
A. After writing the test plan
B. After operational process development
C. Prior to writing the test plan
D. Prior to operational process development
6. All of the following are activities a project manager must perform to ensure a project is progressing in accordance with its plan except:
A. Designing and testing the system
B. Tracking project expenditures
C. Recording task completion
D. Managing the project schedule
7. During which phase of the infrastructure development life cycle are all changes to the environment performed under formal processes, including incident management, problem management, defect management, change management, and configuration management?
A. Testing
B. Design
C. Implementation
D. Maintenance
8. Which management processes cover the post-implementation phase of the SDLC?
A. Maintenance management and change management
B. Change management and configuration management
C. Service management and configuration management
D. Incident management and problem management
9. Change management and configuration management are key to which phase of the SDLC?
A. Requirement definition
B. Design
C. Maintenance
D. Testing
10. Which of the following is a formal verification of system specifications and technologies?
A. Design review
B. User acceptance testing (UAT)
C. Implementation review
D. Quality assurance testing (QAT)
11. All of the following are considerations when selecting and evaluating a software vendor except:
A. Source code languages
B. Financial stability
C. References
D. Vendor supportability
12. Which type of quality assurance method involves the users rather than IT or IS personnel?
A. System testing
B. Functional testing
C. Quality assurance testing (QAT)
D. User acceptance testing (UAT)
13. All of the following are considered risks to a software development project except:
A. Delivered software not adequately meeting business needs
B. Delivered software not meeting efficiency needs
C. Termination of the project manager
D. Project falling behind schedule or exceeding budget
14. Analysis of regulations and market conditions normally takes place during which phase of the SDLC?
A. Testing phase
B. Feasibility study
C. Design phase
D. Requirements definition phase
15. Which term describes a Scrum project and is a focused effort to produce some portion of the total project deliverable?
A. Milestone
B. Objective
C. Daily Scrum
D. Sprint
16. For what reason would an Internet-based financial application record the IP address of users who log in?
A. This permits application performance testing.
B. This provides localization information to the application.
C. This provides authentication information to the application.
D. This provides forensic information that can be used later.
17. In the context of logical access controls, the terms “subject” and “object” refer to:
A. “Subject” refers to the person who is accessing the data, and “object” refers to the data being accessed.
B. “Subject” refers to the data being accessed, and “object” refers to the file that contains the data.
C. “Subject” refers to the security context, and “object” refers to the data.
D. “Subject” refers to the data, and “object” refers to the person or entity accessing the data.
18. In the context of logical access control, what does the term “fail closed” mean?
A. In the event of a power outage, all access points are closed.
B. If access is denied, a database table will be closed or locked to changes.
C. If an access control mechanism fails, all access will be denied.
D. If an access control mechanism fails, all access will be allowed.
19. When would you design an access control to “fail open”?
A. In the case of fire suppression controls, which would need to activate immediately if a fire is detected.
B. In the case of building access controls, which would need to permit evacuation of personnel in an emergency.
C. In the event of an emergency, where data access controls would need to allow anyone access to data so it could be backed up successfully and removed from the site.
D. In the case of an incident, where outside investigators would require immediate and complete access to restricted data.
20. What are the three levels of the Constructive Cost Model (COCOMO) method for estimating software development projects?
A. Basic, Intermediate, and Detailed
B. Levels I, II, and III
C. Initial, Managed, and Optimized
D. Organic, Semi-detached, and Embedded
21. The best source for requirements for an RFP project is:
A. Published industry standards
B. The incumbent system’s specifications
C. Vendors and suppliers
D. The organization’s own business, technical, and security requirements
22. An organization wants to build a new application, but it has not yet defined precisely how end-user interaction will work. Which application development technique should be chosen to determine end-user interaction?
A. Prototyping
B. RAD
C. Waterfall
D. Scrum
23. A project manager regularly sends project status reports to executive management. Executives are requesting that status reports include visual diagrams showing the project schedule and project-critical paths from week to week. Which type of a chart should the project manager use?
A. WBS
B. PRINCE2
C. PERT
D. Gantt
24. During which phase of the SDLC are functionality and design characteristics verified?
A. Maintenance
B. Implementation
C. Testing
D. Design
25. Which kind of testing ensures that data is being formatted properly and inserted into the new application from the old application?
A. Unit testing
B. Migration testing
C. Regression testing
D. Functional testing
26. Which entity commissions feasibility studies to support a business case?
A. Project team
B. Project manager
C. CISO
D. IT steering committee
27. What is the purpose of a configuration management database?
A. Storage of every change made to system components
B. Storage of available configurations for system components
C. Storage of approvals for configuration changes to a system
D. Storage of the most recent change made to system components
28. When is the best time for an organization to measure business benefits of a new system?
A. During unit testing
B. One year after implementation
C. During requirements definition
D. During user acceptance testing
29. Which of the following represents the components of the project in graphical or tabular form and is a visual or structural representation of the system, software, or application?
A. Data flow diagram (DFD)
B. Work breakdown structure (WBS)
C. Zachman model
D. Object breakdown structure (OBS)
30. Which type of tests will determine whether there are any failures or errors in input, processing, or output controls in an application?
A. Referential integrity tests
B. Data conversion tests
C. Data integrity tests
D. Static data storage tests
31. Which quantitative method of sizing software projects is repeatable for traditional programming languages, but is not as effective with newer, nontextual languages?
A. Source lines of code (SLOC)
B. Work breakdown structure (WBS)
C. Object breakdown structure (OBS)
D. Constructive Cost Model (COCOMO)
32. Which type of testing, usually performed by developers during the coding phase of the software development project, is used to verify that the code in various parts of the application works properly?
A. Unit testing
B. Regression testing
C. Functional testing
D. User acceptance testing
33. An organization is considering acquiring a key business application from a small software company. What business provision should the organization require of the software company?
A. Bonding
B. Liability insurance
C. Developer background checks
D. Place source code in escrow
34. Which phase of the SDLC is continually referenced during the development, acquisition, and testing phases to ensure that the system is meeting the required specifications?
A. Testing
B. Requirements definition
C. Design
D. Implementation
35. What is the purpose of the review process after each phase of the SDLC?
A. To establish additional requirements
B. To change existing requirements
C. To ensure that project deliverables meet the agreed-upon requirements
D. To provide end users with a progress check on system development
QUICK ANSWER KEY
1. C
2. B
3. A
4. C
5. C
6. A
7. D
8. B
9. C
10. D
11. A
12. D
13. C
14. B
15. D
16. D
17. A
18. C
19. B
20. A
21. D
22. A
23. C
24. C
25. B
26. D
27. A
28. B
29. D
30. C
31. A
32. A
33. D
34. B
35. C
ANSWERS A
1. What is the best reason for considering a proof of concept?
A. The system being considered is too expensive to implement all at once.
B. The system being considered will be a fully customized solution.
C. The system being considered is too complicated to evaluate fully.
D. The system being considered is not yet available.
C. The system being evaluated is too complex to evaluate in a walkthrough or by analyzing its specifications.
A is incorrect because the cost of a system is not a primary reason for considering a POC.
B is incorrect because a fully customized solution would not yet exist for a POC to take place.
D is incorrect because a solution that is not yet available cannot be evaluated in a POC.
2. A formal process whereby the organization gathers all business and technical requirements and forwards them to several qualified vendors, who then respond to them, is called:
A. Request for information (RFI)
B. Request for proposals (RFP)
C. Request for evaluation (RFE)
D. Request for quote (RFQ)
B. An RFP is the formal process used to publish the organization’s requirements to several vendors, who will then reply formally with proposals that will meet those requirements.
A is incorrect because an RFI does not meet all of these requirements.
C is incorrect because an RFE does not meet all of these requirements.
D is incorrect because an RFQ does not meet all of these requirements.
3. An organization that wishes to acquire IT products or services that it fully understands should issue what kind of document?
A. Request for proposals (RFP)
B. Request for information (RFI)
C. Statement of work (SOW)
D. Bid schedule
A. An organization that wishes to acquire a new IT system or service that it already fully understands should issue a request for proposals (RFP). If the organization does not yet understand the IT products or services it wants to acquire, it should first issue a request for information (RFI) in order to learn more about them.
B is incorrect because an RFI does not meet all of these requirements.
C is incorrect because an SOW is not issued by a customer organization, but by a product or service organization.
D is incorrect because a bid schedule does not provide detailed information on IT products or services.
4. Which SEI CMM maturity level states that there is some consistency in the ways that individuals perform tasks from one time to the next, as well as some management planning and direction to ensure that tasks and projects are performed consistently?
A. Initial
B. Defined
C. Repeatable
D. Managed
C. The repeatable level of the SEI CMM five-level model states that there is some consistency in the ways that individuals perform tasks from one time to the next, as well as some management planning and direction to ensure that tasks and projects are performed consistently.
A is incorrect because the initial level of the SEI CMM model defines an ad hoc, unmanaged process.
B is incorrect because the defined level of the SEI CMM model signifies a process that is documented but probably not measured.
D is incorrect because the managed level of the SEI CMM model signifies a process that is more mature, with statistics and perhaps even metrics.
5. At what stage in the acquisition process should a project team develop requirements?
A. After writing the test plan
B. After operational process development
C. Prior to writing the test plan
D. Prior to operational process development
C. Requirements should be developed early in the systems development/acquisitions life cycle. The best answer here is prior to writing the test plan, but, ideally, requirements will be developed far earlier than that—even before the solution is designed.
A is incorrect because test plans are written directly from requirements, so that testing can confirm whether requirements have been met.
B is incorrect because processes need to comply with requirements, which means requirements need to be developed before processes are designed.
D is incorrect because this is still not early enough—requirements need to be developed prior to solution selection and design.
6. All of the following are activities a project manager must perform to ensure a project is progressing in accordance with its plan except:
A. Designing and testing the system
B. Tracking project expenditures
C. Recording task completion
D. Managing the project schedule
A. It is not the project manager’s job to design and test the system, but instead to coordinate those activities as performed by others.
B, C, and D are incorrect. They all are activities the project manager must carry out to ensure a project is on track and meeting scheduling and budget requirements. System design and testing are not normally carried out by the project manager role.
7. During which phase of the infrastructure development life cycle are all changes to the environment performed under formal processes, including incident management, problem management, defect management, change management, and configuration management?
A. Testing
B. Design
C. Implementation
D. Maintenance
D. After a system has been put into production, the maintenance phase involves activities relating to incident management, problems, defects, changes, and configuration.
A is incorrect because testing is performed before the infrastructure is placed into production.
B is incorrect because design precedes changes.
C is incorrect because implementation is completed before subsequent changes are made.
8. Which management processes cover the post-implementation phase of the SDLC?
A. Maintenance management and change management
B. Change management and configuration management
C. Service management and configuration management
D. Incident management and problem management
B. The post-implementation phase of the SDLC is carried out by the change management and configuration management processes.
A is incorrect because maintenance management is not a formal operational term.
C is incorrect because service management is not concerned with the management of an application after implementation.
D is incorrect because incident and problem management are not concerned with the management of an application after implementation.
9. Change management and configuration management are key to which phase of the SDLC?
A. Requirement definition
B. Design
C. Maintenance
D. Testing
C. Change management and configuration management are essential operational processes in the maintenance phase of the SDLC.
A is incorrect because requirements definition is performed prior to initial implementation.
B is incorrect because design is performed prior to initial implementation.
D is incorrect because testing is performed during and immediately after initial development.
10. Which of the following is a formal verification of system specifications and technologies?
A. Design review
B. User acceptance testing (UAT)
C. Implementation review
D. Quality assurance testing (QAT)
D. Quality assurance testing is a formal verification of system specifications and technologies. Users are usually not involved in QAT; instead, this testing is typically performed by IT or IS departments.
A is incorrect because design review is not a verification of technologies, since development and implementation have not yet taken place.
B is incorrect because UAT is a test of functionality, not of technologies.
C is incorrect because implementation review does not verify specification, but the implementation process itself.
11. All of the following are considerations when selecting and evaluating a software vendor except:
A. Source code languages
B. Financial stability
C. References
D. Vendor supportability
A. A software vendor’s choice of source code languages is of lesser concern when selecting and evaluating software vendors.
B, C, and D are incorrect. These all are considerations when evaluating and selecting a software or system vendor. Internal processes that the vendor may or may not have are not a factor in selection, but in the long run may affect the end product in terms of quality, support, and so on.
12. Which type of quality assurance method involves the users rather than IT or IS personnel?
A. System testing
B. Functional testing
C. Quality assurance testing (QAT)
D. User acceptance testing (UAT)
D. User acceptance testing (UAT) should consist of a formal, written body of specific tests that permits application users to determine whether the application will operate properly.
A is incorrect because users are not involved in system testing.
B is incorrect because users are not involved in functional testing—this is performed by developers.
C is incorrect because QAT is performed by alternative developers or software test personnel.
13. All of the following are considered risks to a software development project except:
A. Delivered software not adequately meeting business needs
B. Delivered software not meeting efficiency needs
C. Termination of the project manager
D. Project falling behind schedule or exceeding budget
C. Termination of the project manager is not an anticipated risk in a software development project.
A, B, and D are incorrect. Delivered software not meeting business needs or business efficiency needs are risks, as are cost and schedule overruns. Termination of a project manager is not considered a risk to a project, as they can be more easily replaced.
14. Analysis of regulations and market conditions normally takes place during which phase of the SDLC?
A. Testing phase
B. Feasibility study
C. Design phase
D. Requirements definition phase
B. Changes in business conditions, including market changes and regulations, take place during the feasibility study, prior to requirements definition, design, and testing.
A is incorrect because testing takes place after development has taken place.
C is incorrect because the design phase is concerned with the logical design of the system.
D is incorrect because requirements definition is concerned with ensuring that the system meets business needs.
15. Which term describes a Scrum project and is a focused effort to produce some portion of the total project deliverable?
A. Milestone
B. Objective
C. Daily Scrum
D. Sprint
D. A typical Scrum project consists of several “sprints,” which are focused efforts to produce some portion of the total project deliverable. A sprint usually lasts from two to four weeks.
A is incorrect because a milestone is a point in a project when a key objective has been completed.
B is incorrect because an objective is a goal of a project.
C is incorrect because a Daily Scrum is a daily project status meeting in a Scrum project.
16. For what reason would an Internet-based financial application record the IP address of users who log in?
A. This permits application performance testing.
B. This provides localization information to the application.
C. This provides authentication information to the application.
D. This provides forensic information that can be used later.
D. In an Internet-based financial application, it may be useful to record the IP address of each user who logs in. While it may be infeasible to restrict access by IP address (especially for traveling users), recording IP address at the time of login can be useful later on if there is a reason to believe that a user’s account has been hijacked.
A is incorrect because there is little or no correlation between a user’s IP address and application performance.
B is incorrect because IP addresses are not always a reliable indicator of location, particularly if the user is employing a VPN.
C is incorrect because reliance on IP address as authentication is not the best available answer. Still, an IP address can provide information concerning the whereabouts of the subject. However, relying entirely on IP address for location information is not reliable since the subject could be using a VPN.
17. In the context of logical access controls, the terms “subject” and “object” refer to:
A. “Subject” refers to the person who is accessing the data, and “object” refers to the data being accessed.
B. “Subject” refers to the data being accessed, and “object” refers to the file that contains the data.
C. “Subject” refers to the security context, and “object” refers to the data.
D. “Subject” refers to the data, and “object” refers to the person or entity accessing the data.
A. The terms “subject” and “object” are used in the context of access management. Subject refers to a person (or program or machine), and object refers to data (or other resource) being accessed.
B is incorrect because this definition of “object” is too narrow.
C is incorrect because “subject” and “object” are not used in this manner.
D is incorrect because “subject” and “object” are not used in this manner.
18. In the context of logical access control, what does the term “fail closed” mean?
A. In the event of a power outage, all access points are closed.
B. If access is denied, a database table will be closed or locked to changes.
C. If an access control mechanism fails, all access will be denied.
D. If an access control mechanism fails, all access will be allowed.
C. The correct definition of “fail closed” in an access control mechanism is one in which all requested accesses will be denied.
A, B, and D are incorrect because these are incorrect definitions of “fail closed.”
19. When would you design an access control to “fail open”?
A. In the case of fire suppression controls, which would need to activate immediately if a fire is detected.
B. In the case of building access controls, which would need to permit evacuation of personnel in an emergency.
C. In the event of an emergency, where data access controls would need to allow anyone access to data so it could be backed up successfully and removed from the site.
D. In the case of an incident, where outside investigators would require immediate and complete access to restricted data.
B. A good example of an access control to “fail open” is the case of building access controls, which would need to permit evacuation of personnel in an emergency.
A, C, and D are incorrect because these are not examples of “fail open.”
20. What are the three levels of the Constructive Cost Model (COCOMO) method for estimating software development projects?
A. Basic, Intermediate, and Detailed
B. Levels I, II, and III
C. Initial, Managed, and Optimized
D. Organic, Semi-detached, and Embedded
A. The three levels of the COCOMO method for estimating software development projects are Basic, Intermediate, and Detailed.
B is incorrect because Levels I, II, and III are not the levels of COCOMO.
C is incorrect because Initial, Managed, and Optimized are not the levels of COCOMO.
D is incorrect because Organic, Semi-detached, and Embedded are not the levels of COCOMO.
21. The best source for requirements for an RFP project is:
A. Published industry standards
B. The incumbent system’s specifications
C. Vendors and suppliers
D. The organization’s own business, technical, and security requirements
D. An organization that is developing requirements for an RFP (request for proposals) for products or services from vendors needs to develop these requirements internally.
A is incorrect because there is no industry-standard list of requirements available, as every organization is different.
B is incorrect because the incumbent system may no longer be meeting the organization’s requirements, and hence should not be used for a replacement system.
C is incorrect because requirements should definitely not come from vendors (who would develop requirements to ensure that only their products or services could be selected).
22. An organization wants to build a new application, but it has not yet defined precisely how end-user interaction will work. Which application development technique should be chosen to determine end-user interaction?
A. Prototyping
B. RAD
C. Waterfall
D. Scrum
A. The best development methodology in a situation where the organization is unable to determine (in the design phase) how end-user interaction will work in a system is to build prototypes of various kinds until the most suitable one can be chosen.
B is incorrect because RAD is more suited for situations where more is known about the desired function of the system.
C is incorrect because waterfall is more suited for projects where requirements can all be developed in advance.
D is incorrect because Scrum is not the best choice; however, Scrum is a good alternative.
23. A project manager regularly sends project status reports to executive management. Executives are requesting that status reports include visual diagrams showing the project schedule and project-critical paths from week to week. Which type of a chart should the project manager use?
A. WBS
B. PRINCE2
C. PERT
D. Gantt
C. A PERT chart shows the project status and critical path for a given project.
A is incorrect because WBS does not show project status or critical path, but instead the structure of the project.
B is incorrect because PRINCE2 is a methodology, not a reporting tool.
D is incorrect because Gantt does show project status but not critical path.
24. During which phase of the SDLC are functionality and design characteristics verified?
A. Maintenance
B. Implementation
C. Testing
D. Design
C. Testing is the phase of a development process where functionality and design are verified in the test plan.
A is incorrect because functionality and design are not verified during maintenance.
B is incorrect because functionality and design are not verified during implementation.
D is incorrect because functionality and design are not verified during the design phase of a project.
25. Which kind of testing ensures that data is being formatted properly and inserted into the new application from the old application?
A. Unit testing
B. Migration testing
C. Regression testing
D. Functional testing
B. When one application is replacing another, data from the old application is often imported into the new application to eliminate the need for both old and new applications to function at the same time. Migration testing ensures that data is being properly formatted and inserted into the new application. This testing is often performed several times in advance of the real, live migration at cutover time.
A is incorrect because unit testing is used to verify the functionality of small portions of code.
C is incorrect because regression testing is used to verify that changes to a system do not alter functions that are intended to be unaffected by those changes.
D is incorrect because functional testing is used to confirm proper operation of a system.
26. Which entity commissions feasibility studies to support a business case?
A. Project team
B. Project manager
C. CISO
D. IT steering committee
D. An IT steering committee formally commissions the feasibility study, approves the project, assigns IT resources to the project, and approves the project schedule.
A is incorrect because a project team’s role is to complete assigned tasks, thereby ensuring the successful execution of a project.
B is incorrect because a project manager’s role is to coordinate project activities, thereby ensuring the successful execution of a project.
C is incorrect because a CISO’s role is to lead and manage an organization’s cybersecurity program.
27. What is the purpose of a configuration management database?
A. Storage of every change made to system components
B. Storage of available configurations for system components
C. Storage of approvals for configuration changes to a system
D. Storage of the most recent change made to system components
A. A configuration management database (CMDB) stores all changes made to a system. This makes it possible for system managers to know the precise configuration of every component at any point in time. This often proves useful during system troubleshooting.
B is incorrect because a CMDB does not store available configurations, but actual configurations.
C is incorrect because a CMDB’s purpose is not to store approvals for changes to a system; this is done in the change control process.
D is incorrect because a CMDB stores not only the most recent changes, but all historical changes.
28. When is the best time for an organization to measure business benefits of a new system?
A. During unit testing
B. One year after implementation
C. During requirements definition
D. During user acceptance testing
B. The best time to measure business benefits of a new system is after implementation and when enough time has passed for business measurements to be collected and measured.
A is incorrect because the system will not be running if unit testing is still in progress.
C is incorrect because the system will not be running if requirements are still being defined.
D is incorrect because the system will not be completed if UAT is still taking place.
29. Which of the following represents the components of the project in graphical or tabular form and is a visual or structural representation of the system, software, or application?
A. Data flow diagram (DFD)
B. Work breakdown structure (WBS)
C. Zachman model
D. Object breakdown structure (OBS)
D. An OBS is a visual or structural representation of the system, software, or application, in a hierarchical form, from high level to fine detail.
A is incorrect because a DFD depicts data flows in a system.
B is incorrect because a WBS depicts all of the work required to complete a project.
C is incorrect because a Zachman model shows the architecture of a system.
30. Which type of tests will determine whether there are any failures or errors in input, processing, or output controls in an application?
A. Referential integrity tests
B. Data conversion tests
C. Data integrity tests
D. Static data storage tests
C. Data integrity testing is used to confirm whether an application properly accepts, processes, and stores information. Data integrity tests will determine whether there are any failures or errors in input, processing, or output controls in an application.
A is incorrect because referential integrity tests confirm the correct function of primary and foreign keys in a relational database management system.
B is incorrect because data conversion tests confirm whether data is properly converted from one system to another.
D is incorrect because static data storage tests confirm the correctness of data storage.
31. Which quantitative method of sizing software projects is repeatable for traditional programming languages, but is not as effective with newer, nontextual languages?
A. Source lines of code (SLOC)
B. Work breakdown structure (WBS)
C. Object breakdown structure (OBS)
D. Constructive Cost Model (COCOMO)
A. Sizing for software projects has traditionally relied upon source lines of code (SLOC) estimates. A similar measuring unit is kilo lines of code (KLOC). The advantage of SLOC and KLOC is that they are quantitative and somewhat repeatable for a given computer language, such as COBOL, FORTRAN, or BASIC. However, these methods are falling out of favor because many of the languages in use today are not textual in nature.
B is incorrect because WBS is a depiction of the work required to successfully complete a project.
C is incorrect because OBS is a depiction of the components of a system.
D is incorrect because COCOMO is used to calculate the cost, not the size, of a development project.
32. Which type of testing, usually performed by developers during the coding phase of the software development project, is used to verify that the code in various parts of the application works properly?
A. Unit testing
B. Regression testing
C. Functional testing
D. User acceptance testing
A. Unit testing is usually performed by developers during the coding phase of the software development project. When each developer is assigned the task of building a section of an application, the specifications that are given to the developer should include test plans or test cases that the developer will use to verify that the code works properly.
B is incorrect because regression testing is used to verify the system continues to work properly.
C is incorrect because functional testing is used to verify the correct operation of a system.
D is incorrect because user acceptance testing is used to confirm that user-facing features of a system work properly.
33. An organization is considering acquiring a key business application from a small software company. What business provision should the organization require of the software company?
A. Bonding
B. Liability insurance
C. Developer background checks
D. Place source code in escrow
D. Software escrow ensures that the customer organization will be able to continue using and maintaining an application even if the vendor goes out of business.
A is incorrect because bonding is related to operational liability, not survival of the vendor.
B is incorrect because liability insurance has little or no bearing on the survival of the vendor.
C is incorrect because developer background checks do not measurably help ensure the survival of the vendor.
34. Which phase of the SDLC is continually referenced during the development, acquisition, and testing phases to ensure that the system is meeting the required specifications?
A. Testing
B. Requirements definition
C. Design
D. Implementation
B. The requirements definition phase, and the system requirements developed during this phase, is continually referenced throughout the SDLC to ensure that the system meets the requirements that were agreed upon.
A is incorrect because testing is not referenced during all of these phases.
C is incorrect because design is not referenced during all phases of the SDLC.
D is incorrect because implementation is not referenced throughout the SDLC.
35. What is the purpose of the review process after each phase of the SDLC?
A. To establish additional requirements
B. To change existing requirements
C. To ensure that project deliverables meet the agreed-upon requirements
D. To provide end users with a progress check on system development
C. Post-phase reviews are used to ensure that any project deliverables due at the end of each phase meet requirements. These reviews are sometimes called “gate reviews” because they represent a gating process where a project is not permitted to progress to a later phase until an earlier phase is reviewed and approved by management.
A is incorrect because additional requirements are not introduced in post-phase reviews.
B is incorrect because requirements are not altered in post-phase reviews.
D is incorrect because the main purpose of post-phase reviews is to review project status and performance, not inform end users of the same.