Chapter 21: Change Management Review Quiz
Why should developers and testers avoid using "live" production data to perform various testing activities? -The use of "live" production data ensures a full and realistic test database. -The use of "live" production data can jeopardize the confidentiality and integrity or the production data -The use of "live" production data ensures an independent and objective test environment -Developers and testers should be allowed to use "live" production data for reasons of efficiency.
Answer = The use of "live" production data can jeopardize the confidentiality and integrity or the production data
What is the primary goal of a backout plan? -To restore the system to its previous operating condition -To return the IT service to users as quickly as possible -To protect the components and data in the live environment -To ensure consistency and integrity
Answer = To restore the system to its previous operating condition.
Change management can be scaled to control and manage the development and maintenance of systems effectively. -True -False
Answer = True
Virtualization can be used as a form of sandboxing with respect to an entire system. -True -False
Answer = True
Which of the following correctly defines the principle of least privilege? -Access privileges are reviewed regularly to ensure that individuals who no longer require access have had their privileges removed. -Authorization of a subject's access to an object depends on sensitivity labels. -The administrator determines which subjects can have access to certain objects based on organizational security policy. -Users have no more privileges than are necessary to perform their jobs
Answer = Users have no more privileges than are necessary to perform their jobs
Software change management procedures are established to: -Ensure continuity of business operations in the event of a natural disaster. -Add structure and control to the development of software systems. -Ensure changes in business operations caused by a management restructuring are properly controlled. -Identify threats, vulnerabilities, and mitigating actions that could impact an enterprise
Answer = Add structure and control to the development of software systems.
Which will help prevent a person from replacing code with code that contains a backdoor into a system? -Cryptography -Code integrity -Code validity -Code comparison
Answer = Code integrity
Which change management phase ensures that only approved changes to a baseline are allowed to be implemented? -Configuration auditing -Configuration control -Configuration identification -Configuration status accounting
Answer = Configuration control
The purpose of a change control board (CCB) is to: -Facilitate management oversight and better project coordination -Identify which assets need to be managed and controlled -Establish software processes that are structured enough that success with one project can be repeated for another similar project -Track and maintain data relative to each configuration item in the baseline
Answer = Facilitate management oversight and better project coordination
Why should end users not be given access to program source code? -It could allow an end user to identify weaknesses or errors in the source code -It ensures that testing and quality assurance perform their proper functions -It assists in ensuring an independent and objective testing environment -It could allow an end user to execute the source code
Answer = It could allow an end user to identify weaknesses or errors in the source code
Which position is responsible for approving the movement of executable code to the production system? -System administrator -Developer -Manager -Quality Assurance
Answer = Manager
What is a foundation for change management? -Least privilege -Separation of duties -Defense in depth -Redundancy
Answer = Separation of duties
Which of the following does NOT adhere to the principle of separation of duties? -Software development, testing, quality assurance, and production should be assigned to the same individuals. -Software developers should not have access to production data and source code files. -Software developers and testers should be restricted from accessing "live" production data. -The functions of creating, installing, and administering software programs should be assigned to different individuals
Answer = Software development, testing, quality assurance, and production should be assigned to the same individuals.
Which terms refers to a preapproved change that is low risk, relatively common and follows a procedure or work instruction? -Change -Reserve change -Emergency change -Standard change
Answer = Standard Change
Which report document changes or corrections to a system? -System Process Report -Segregated Software Report -System Problem Report -System Progress Report
Answer = System Problem Report
A software program needs some updates. This request should be handled through: -Upper management of the firm -The lead software developer -The project manager -The CCB
Answer = The CCB
Within the software change control workflow, which individual is usually responsible for compiling and incorporating changed software into an executable image? -The manager -The sysadmin -The developer -The buildmaster
Answer = The buildmaster
Configuration control is: -The process of controlling changes to items that have been baselined -The process of identifying which assets need to be managed and controlled -The process of verifying that the configuration items are built and maintained properly -The procedures for tracking and maintaining data relative to each configuration item in the baseline
Answer = The process of controlling changes to items that have been baselined
Configuration Identification is: -The process of verifying that the configuration items are built and maintained properly -The procedure for tracking and maintaining data relative to each configuration item in the baseline -The process of controlling changes to items that have been baselined -The process of identifying which assets need to be managed and controlled
Answer = The process of identifying which assets need to be managed and controlled
Configuration auditing is: -The process of controlling changes to items that have been baselined -The process of identifying which assets need to be managed and controlled -The process of verifying that the configuration items are built and maintained properly -The procedures for tracking and maintaining data relative to each configuration item in the baseline
Answer = The process of verifying that the configuration items are built and maintained properly
