Section 4: Quiz 35 - Change, Configuration, Release and Patch Management
What is the objective of code signing? A. Ensuring that software has not subsequently modified B. Ensuring smooth integration with other code-signed systems C. Ensuring the integrity of the private key D. Ensuring the availability of the system
Answer: A. Ensuring that software has not subsequently modified Explanation: The objective of code signing is to provide assurance that code is generated from a reputable source and that the code has not been modified after being signed. Code signing will not provide assurance with respect to any other options. The process employs the use of a hash function to determine the integrity and authenticity of the code.
Which of the following is the best option for patch management to ensure that a new patch will not impact system processing? A. A patch should be tested prior to updating. B. A user should be trained in the patch updating process. C. A patch should be applied immediately and post-implementation testing should be carried out. D. A documented patch management process should be available.
Answer: A. A patch should be tested prior to updating Explanation: It is very important to test a patch before its implementation because patches may impact other systems and operations.
An IS auditor notes that the IT department has not updated a new patch for an application because other security controls are in place. What should the recommendation of the auditor be? A. The overall risk should be analyzed before any recommendation is made. B. Implement firewall rules. C. Implement an intrusion detection system. D. Provide adequate training to the system administrator.
Answer: A. Analyzing the overall risk before giving any recommendation Explanation: The first step is to analyze the overall risk, and then appropriate steps can be taken to address the risk.
An employee is granted authority to change the parameters of a critical file. Which of the following is the most effective control on that employee's activities? A. Changes should be approved by supervisor. B. Changes should be logged. C. Changes should be approved by peers. D. Changes should be approved by the employee themselves.
Answer: A. Changes should be approved by the supervisor Explanation: The best method is having approval by the supervisor as a requirement. This will prevent unauthorized changes to critical files.
Which of the following is the best compensatory control where developers themselves release emergency changes directly to production? A. Changes should be logged and approved on the next business day. B. Developers should only be allowed to do changes during office hours. C. Second-level approval is required before a change is released. D. Changes should be deployed only in the presence of the user.
Answer: A. Changes should be logged and approved on the next business day Explanation: Options B, C, and D are not feasible for releasing emergency changes. The best compensatory control is to log all such changes and subsequently approve those changes.
Which of the following is an important aspect of patch management? A. Conducting an impact analysis before the installation of a patch B. The selection of a well-established vendor for patch management C. The availability of a documented patch management process D. The immediate installation of security patches
Answer: A. Conducting an impact analysis before the installation of a patch Explanation: It is very important to test a patch and conduct an impact analysis before the installation of a patch. This is the most important aspect.
Which of the following best establishes accountability for personnel when it comes to emergency change? A. Granting production access to individual IDs as and when required B. The use of a generic firefighter ID for emergency changes C. The use of dedicated personnel to carry out emergency changes D. Pre-authorization for emergency changes
Answer: A. Granting production access to individual IDs as and when required Explanation: The best process to use to establish accountability is the use of individual IDs. When a change is complete, access can be removed. Generic IDs do not establish accountability. It is not cost-effective to employ dedicated resources for only emergency changes. Emergency changes require immediate action and obtaining prior authorization may not be feasible.
What is the objective of library control software? A. Providing assurance that program changes are authorized B. Providing assurance that program changes are tested C. Providing assurance that areas are automatically moved to production D. Providing assurance that only developers can access a program
Answer: A. Providing assurance that the program changes are authorized Explanation: A program stored in a library can be accessed only by authorized users. Also, it has provisions for reviewing and approving software changes. Library control software ensures that only authorized changes are allowed.
An IS auditor notes that IT personnel have not yet installed the patches that were released 2 months ago. What should the IS auditor do? A. Review the patch management policy and analyze the risks associated with delayed updates B. Recommend the immediate installation of the patch C. Report the findings to the audit committee of the board D. Determine the competency of the system administrator
Answer: A. Review the patch management policy and analyze the risks associated with a delayed update Explanation: An IS auditor should determine whether policies are appropriate and examine the risks associated with a delayed update. There may be a scenario where the risk of system instability is greater than the risk of having a delayed patch update. So, before reporting, the IS auditor should determine the overall risk associated with a delayed update.
Data is copied from a backup server to the production server. Which of the following is the best way to ensure that no unauthorized software moves to the production server? A. Reviewing changes in software version control B. Conducting a full backup C. Carrying out a backup process manually D. Reviewing the backup server log
Answer: A. Reviewing changes in software version control Explanation: Software version control will help to address this issue. An IS auditor should review the version of the software that is moved to production. This will help to determine that only the updated version is transferred to the production server.
Which of the following is the best control for emergency changes that bypass the normal change process? A. Subsequent review and approval of all emergency changes B. Capturing the logs of all emergency changes C. A documented process for emergency change management D. Emergency changes being pre-approved
Answer: A. The subsequent review and approval of all emergency changes Explanation: The best control is to review and approve such changes on the next working day. Only capturing the logs will not serve the purpose. Logs should be reviewed and approved for better control. Pre-approved changes are against best practices. It is good to have documented processes of emergency change management, but the best control is the subsequent review and approval of all changes.
An IS auditor notes that users are granted occasional authority to change a system. What should the IS auditor's first step be? A. Determine whether this process is allowed by policy B. Determine whether the training of the users is adequate C. Determine whether logs are captured for these changes D. Determine the availability of compensatory controls for this process
Answer: A. To determine whether this process is allowed by policy Explanations: In a few scenarios, users are granted the authority to change a system. However, the process should be followed as required by policy. If there is no policy of granting access, then such a policy should be designed to ensure that there are no unauthorized changes.
A review of the change management process indicates that the process is not fully documented and also that some migration processes failed. What should the next step for the IS auditor be? A. Try to get further information about the findings through root cause analysis. B. Report the findings to the audit committee of the board. C. Recommend reframing the change management process. D. Recommend discontinuing the migration process until the change management process is documented.
Answer: A. Trying to get further assurance about the findings using root cause analysis Explanation: Before recommending any action, an IS auditor should gain assurance that the deficiencies noted can be attributed to the failure of the change management process rather than some other process failure.
Which of the following is the most important consideration when ensuring system availability during the change management process? A. A documented procedure for sound change management B. The change management procedure being followed consistently C. Change only being authorized by the IT manager D. User acceptance testing being properly documented
Answer: B. A change management procedure is followed consistently Explanation: The most important control for ensuring system availability is a sound change management procedure that is followed consistently. Changes are required to be authorized by business managers also, not only by IT managers. User acceptance testing will not have any direct impact on system availability.
What is the most important aspect for patch updating for an operating system? A. Post-update regression testing B. Approval from the owner of the information system asset C. Approval from the information security team D. Adequate training for the system administrator
Answer: B. Approval from the owner of the information system asset Explanation: It is important to have the approval of the asset owner to avoid serious business disruption due to patch updates. The other options are not as significant as option B.
Which of the following is the fastest technique for determining data-file change management controls? A. One-to-one file checking B. Access confidentiality C. Transaction logs D. Backup files
Answer: C. Transaction logs Explanation: Transaction logs are used as an audit trail, which contains a detailed list of events with information such as the date and time of the event, the user ID, and the terminal location. This will help to investigate exceptions in the shortest possible time.
An IS auditor reviewing a change management procedure notes that some code that was missed during the production release was subsequently included in production without following the normal change management process. Which of the following is the area of most concern? A. The code was not released during the initial implementation. B. The code was subsequently included without change management approval. C. The error was not noted during user acceptance testing. D. The error was not noted during final system testing.
Answer: B. Code was subsequently included without change management approval Explanation: The most important area of concern is the inclusion of code without following the change management process. Unauthorized changes might impact system performance. The other options are significant; however, the most critical area of concern is option B.
What is the best way to find evidence of unauthorized changes in a production system? A. Log reviews B. Compliance testing C. Forensic reviews D. Utilization reports
Answer: B. Compliance testing Explanation: Compliance testing will help to determine whether a change management process is applied consistently and whether changes are appropriately approved. A forensic review is a specialized investigation for criminal cases. Logs would help identify the changes; however, to determine authorization, compliance testing of the change management process should be conducted.
The IS auditor notes that the system malfunctioned after the installation of a security patch. Which of the following is the best control for such an incident? A. Patch installation should be conducted only by the system administrator. B. The change management procedure should be followed for patch installation. C. The patch management process should be outsourced to third-party service providers. D. The approval of the business manager should be obtained for patch installation.
Answer: B. The change management procedure to be followed for patch installation Explanation: The change management process includes approvals, testing, scheduling, and rollback arrangements. It will help to prevent the system from malfunctioning due to an unorganized process of patch installation; the other options may not directly address the concern.
Which of the following provides the best evidence regarding the effectiveness of a change control procedure? A. Reviewing system-generated logs for the change made B. Verifying the approvals for the changes conducted C. Verifying the approvals for the change management policy D. Verifying the approvals for the creation of privilege rights
Answer: B. Verifying the approvals for the changes conducted Explanation: The most effective method of determining the effectiveness of a change control procedure is to determine what changes have been made and ask for the approvals for such changes. The other options may not indicate consistent implementation of the change control process.
An organization has changed the vendor maintaining critical applications. In the new contract, the incident resolution time has been modified. Which of the following is a major concern? A. The impact of the modification is not considered in the disaster recovery document. B. The impact of the modification is not considered when determining the recovery point objective. C. The application owners are not aware of the modification. D. The old service provider does not agree with the new resolution time.
Answer: C. Application owners not being aware of the modification Explanation: The major risk in this scenario is that application owners are not aware of the modification. This can have serious repercussions on critical business processes. Options A and B are important but not as critical as option C.
Which of the following procedures is used to restore a system to its prior state? A. Incident management B. Capacity management C. Backout procedure D. Software development life cycle
Answer: C. Backout procedure Explanation: The backout procedure is one of the elements of the change management process. The backout procedure is used to restore a system to an earlier state, prior to the state of upgrade. This process is used when upgrades are not successfully implemented and, as a result, some issues arise in the system's functioning.
Which of the following is considered a critical component in network management? A. Proxy troubleshooting B. Topological structure C. Change and configuration management D. Network monitoring tools
Answer: C. Change and configuration management Explanation: Configuration management is considered one of the key components in network management. It determines the network functionality both internally and externally. It ensures that the setup and management of the network is done properly. The other options, though important, are not as critical as change and configuration management.
What is the most likely reason for adopting emergency change procedure? A. The implementation of new functionality B. User acceptance testing not being required for minor changes C. A change having a significant impact on business operation D. A change being released by a third-party service provider
Answer: C. Change can have a significant impact on business operation Explanation: In some scenarios, a change is required to be implemented as soon as possible, for which normal change management procedures cannot be applied. Such changes have a significant impact on business operations.
Which of the following is the best process to use to test program changes? A. Reviewing samples of change authorization first and then analyzing the relevant modified programs B. Conducting a walk-through of the program changes from beginning to end C. Reviewing samples of change authorization first and then analyzing the supporting change authorization D. Using automated tools to analyze change authorization for missing fields
Answer: C. First reviewing a sample of modified programs and then analyzing the supporting change authorization Explanation: Reviewing a sample of modified programs and then tracing back to relevant supporting change authorization is the best way to test change management control. The other options will not able to identify changes without supporting authorization.
Which of the following is a major concern in a change management process? A. Different configurations for the test and production systems B. The non-availability of manual change management records C. The non-availability of a configuration management database D. Inadequate training of the personnel involved
Answer: C. The non-availability of a configuration management database Explanation: The configuration management database is used to monitor configuration assets and their dependencies. Its absence may result in incorrect approvals and configuration. Also, dependencies may be ignored during configuration. The other options are not as significant as option C.
Which of the following is a major concern for an in-house-developed application? A. A delay in implementation due to user acceptance testing B. An inadequate budget estimate C. A delay in implementation due to unit testing D. A change request being initiated and approved by the same employee
Answer: D. A change request being initiated and approved by the same employee Explanation: The major concern here is change requests being initiated and approved by the same employee. This violates the principle of segregation of duties. An employee should not be able to approve their own request. The other options are not as significant as option D.
Which of the following is the best control for configuration changes? A. An adequate audit trail B. Adequate training of personnel C. Adequate documentation for configuration management D. An adequate process of approval and review for critical changes
Answer: D. An adequate process of approval and review for critical changes Explanation: It is very important to follow the process of approval and review for changes. It ensures proper authorization for critical changes and also enforces separation of duties. It prevents unauthorized changes by any single employee. The other options serve as good controls, but option D is considered the best for processing configuration changes.
What is the most effective way to gauge the design effectiveness of a change management process? A. A sample test of change requests B. A sample test of change authorization C. Interviewing the staff D. Conducting an end-to-end walk-through of the change management process
Answer: D. Conducting an end-to-end walk-through of the change management process Explanation: To determine design effectiveness most effectively, you should understand the end-to-end process of change control management. This observation is the best way to ensure that the process is effectively designed. The other options are not as effective as having a process walk-through.