Security requirements are the least expensive to implement when they are built into application design.
Security requirements are the specifications or criteria that define the security objectives, functions, features, or attributes of an application, system, or network. Security requirements can help to ensure the confidentiality, integrity, availability, and accountability of the application, system, or network, as well as to protect the application, system, or network from various security threats and risks. Security requirements should be identified, analyzed, and documented in the early stages of the application development life cycle, such as the planning, analysis, or design phases. Security requirements are the least expensive to implement when they are built into application design, as it means that the security requirements are integrated and incorporated into the architecture, structure, and logic of the application, rather than added or modified later in the development life cycle, such as the implementation, testing, or deployment phases. Building security requirements into application design can help to reduce the cost and complexity of the security implementation, as well as to improve the quality and performance of the security of the application. Building security requirements into application design can also help to prevent or minimize the security issues or defects that may arise in the later stages of the development life cycle, such as the security vulnerabilities, weaknesses, or flaws that may compromise the security of the application. When identified by external consultants, during the application rollout phase, or during each phase of the project cycle are not the situations when security requirements are the least expensive to implement, as they are either more dependent, reactive, or iterative than building security requirements into application design. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 21: Software Development Security, page 1151; CISSP Official (ISC)2 Practice Tests, Third Edition, Domain 8: Software Development Security, Question 8.10, page
304.

Since the circuit level proxy does not anayze the application content of the packet in making its decisions, it has lower overhead than an application level proxy.
"More difficult to maintain" is incorrect. Circuit level proxies are typicall easier to configure and simpler to maintain that an application level proxy.
"More secure" is incorrect. A circuit level proxy is not necessarily more secure than an application layer proxy.
"Slower" is incorrect. Because it is lower in overhead, a circuit level proxy is typically faster than an application level proxy.
References:
CBK,pp. 466 - 467
AIO3, pp.488 - 490

War Walking (or War Driving) refers to scanning for 802.11-based wireless network information, by either driving or walking with a laptop, a wireless adapter in promiscuous mode, some type of scanning software such as NetStumbler or AiroPeek, and a Global Positioning System (GPS).
*War Dialing, is a method used to hack into computers by using a software program to automatically call a large pool of telephone numbers to search for those that have a modem attached.
*Demon Dialing, similar to War Dialing, is a tool used to attack one modem using brute force to guess the password and gain access.
*ToneLoc, was one of the first war-dialing tools used by phone phreakers. Sources: Hacking Exposed by Stuart McClure, Joel Scambray, and George Kurtz (Osborne, 1999) and War Driving by the Bay by Kevin Poulsen, The Register, April 13, 2001.

The document that describes the measures that have been implemented or planned to correct any deficiencies noted during the assessment of the security controls is the Plan of Action and Milestones (POA&M). A POA&M is a tool that helps to track and manage the remediation actions for the identified weaknesses or gaps in the security controls. A POA&M typically includes the following elements: the description of the weakness, the source of the weakness, the risk level of the weakness, the proposed corrective action, the responsible party, the estimated completion date, and the status of the action. A POA&M can help to prioritize the remediation efforts, monitor the progress, and report the results. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 6: Security Assessment and Testing, page 295; [Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 6: Security Assessment and Testing, page 421]