93 SURGENT MCQ Flashcards by Hallie Hollenback

A company’s management lacks segregation of duties within the application environment, with programmers having access to development and production. The programmers can implement application code changes into production without monitoring or a quality assurance function. This is considered a deficiency in which of the following areas?

Management override

Data integrity

Computer operations

Change control

The correct answer is “change control” because this is the process of modifying application software, including requesting a change, reviewing the effectiveness of the change, approving the change, and implementing the change. Since programmers can implement application code changes without approval, there is a weakness in control over changes to application programs.

The other answer choices are incorrect:

Management override refers to management not following properly designed and in-force controls.

Data integrity refers to the accuracy of data entered into the program or processing of that data rather than the software itself.

Computer operations refer to managing the computer system running the application rather than the steps programmed into the software.

Developing IS

Relevant Terms
Change Management
Integrity (IT)
Quality Assurance (QA)
Segregation (or Separation) of Duties

Reference
7114.05

How well did you know this?

Not at all

Perfectly

A fast-growing service company is developing its information technology internally. What is the first step in the company’s systems development life cycle?

Implementation

Testing

Design

Analysis

System analysis is the first step in the system development life cycle. This is where the information is gathered to decide whether to purchase or develop a system.

The other answer choices are incorrect because analysis would come before the other process steps, including conceptual design, physical design, implementation and conversion, and operation and maintenance.

Change Mgmt/Developing IS

Relevant Terms
Implementation
System Analysis
System Development Life Cycle (SDLC)

Reference
7114.01
7114.02
7114.03
7114.04

How well did you know this?

Not at all

Perfectly

A software vendor has released several security patches in the last two weeks. What should the IT team do first?

Request a new software version with no vulnerabilities.

Confirm that the vendor has tested the patches.

Implement the security patches without delay.

Conduct a risk assessment before installing the patches.

Before installing a vendor-released patch, the IT team should conduct a risk assessment to determine the likelihood of the vulnerability being exploited and the impact of the vulnerability on the organization’s systems and applications.

The answer choice “request a new software version with no vulnerabilities” is incorrect as the vendor may not have a new version that does not require security patches, and therefore this might be a time-consuming option.

The answer choice “confirm that the vendor has tested the patches” is incorrect. While vendors usually test the patches before release, IT should always perform required system and application testing before installing the patch to protect against potential system functionality and availability issues.

The answer choice “implement the security patches without delay” is incorrect. Before installing a vendor-released patch, the IT team should conduct a risk assessment to determine the likelihood of the vulnerability being exploited and the impact of the vulnerability on the organization’s systems and applications.

Patch Management

Relevant Terms
Patch
Risk Assessment

Reference
7114.10
7114.13

How well did you know this?

Not at all

Perfectly

Alex, an auditor, is reviewing the patch management process at an organization. Which of the following is the best procedure for Alex to validate that the latest vendor security patches are installed on all production servers?

Validate that automatic updates are pushed to production servers.

Select a sample of servers and ensure that the latest patches are installed.

Obtain and review the change management tickets for critical production servers.

Scan the production servers using an automated tool.

An automated tool will generate a report containing the installed and missing patches on all production servers.

The answer choice “validate that automatic updates are pushed to production servers” is incorrect. Sometimes patches may not install through automated updates, and IT needs to investigate and resolve them. Therefore, this procedure would not assure that all servers are patched appropriately.

The answer choice “select a sample of servers and ensure that the latest patches are installed” is incorrect as this would assure a sample of production servers and not all production servers.

The answer choice “obtain and review the change management tickets for critical production servers” is incorrect as change tickets may not be updated and checking each ticket for patches will be time-consuming. Therefore, an automated tool would be a more effective and efficient option to validate which patches are installed and missing on each production server.

Relevant Terms
Patch

Reference
7114.10
7114.14

How well did you know this?

Not at all

Perfectly

An auditor is reviewing change management controls at a small organization and has noted that the developer deploys emergency changes directly to production. What is the most effective control to ensure developers do not manipulate the approved change in production?

The developer’s access to production should expire once the changes are deployed.

The change should be approved in writing before migration.

The organization should hire additional personnel to deploy changes to production.

The audit trail should be reviewed by another individual after the change is deployed.

A review of the audit trail by another individual will help determine whether the developer made unauthorized code changes.

The answer choice “the developer’s access to production should expire once the changes are deployed” is incorrect. Restricting developer access for a limited timeframe cannot prevent or detect unauthorized modifications to changes in the production environment.

The answer choice “the change should be approved in writing before migration” is incorrect. Emergency changes warrant quick deployment to prevent adverse circumstances and obtaining written approval before migration may not always be possible.

The answer choice “the organization should hire additional personnel to deploy changes to production” is incorrect. Smaller organizations often lack the funds to hire additional resources to maintain the segregation of duties between the developer and implementer. Therefore, it may be appropriate for developers to implement changes in production as long as another individual reviews the production audit trail.

Change Management

Relevant Terms
Audit Trail (Audit Log)
Change Management

Reference
7114.01
7114.02

How well did you know this?

Not at all

Perfectly

An auditor is reviewing the patch management process at a small start-up organization. Which of the following is the least concern for the auditor?

Critical vendor patches are applied without testing.

Risk assessment is not performed before patch installation.

IT trainees are responsible for testing and installing patches.

A patch management policy is not formally documented.

In smaller, start-up organizations, a patch management process may exist but is not documented in a formal policy. While this is not the best practice, the other answer choices have more weight.

The other answer choices are incorrect as they are of more concern for the IS auditor:

Critical vendor patches are applied without testing: While vendors usually test the patches before release, IT should always perform required system and application testing before installing the patch to protect against potential system functionality and availability issues.

Risk assessment is not performed before patch installation: Before installing a vendor-released patch, the IT team should conduct a risk assessment to determine the likelihood of the vulnerability being exploited and the impact of the vulnerability on the organization’s systems and applications.

IT trainees are responsible for testing and installing patches: Patch management is vital to ensure the security of systems and applications, and therefore it is crucial that patching is performed by capable and experienced IT personnel. Trainees may be allowed to perform patching provided skilled individuals supervise their work.

Patch Management

Relevant Terms
Documentation
Patch
Risk Assessment

Reference
7114.10
7114.13

How well did you know this?

Not at all

Perfectly

An auditor observed several application errors resulting in an outage. After inquiring with IT, the auditor learned that the errors occurred after installing a patch. Which of the following is the primary reason for the program errors?

Patches must be implemented by system administrators only.

Patches must be tested before installation.

Systems should always be backed up before implementation.

The change management process was not followed.

The change management process includes procedures for testing and deploying changes before installation, and would have reasonably prevented the application errors.

The answer choice “patches must be tested before installation” is incorrect. Patches should be approved and tested as part of the change management process, and testing alone would not prevent application errors.

The answer choice “patches must be implemented by system administrators only” is incorrect as this control is intended to ensure segregation of duties from the developers. However, this would not ensure that the change management process will be appropriately followed so that patches are approved and tested before implementation.

The answer choice “systems should always be backed up before implementation” is incorrect as the objective of this control is to roll back the system to the previous state should the change requests (that include the patch) not occur per plan.

Patch Management

Relevant Terms
Change Management
Patch

Reference
7114.10

How well did you know this?

Not at all

Perfectly

An auditor is evaluating the change management process for an international organization. Which of the following is the greatest concern for the auditor?

Change management records are manually maintained.

Test and production environments are installed on the same server.

Test and production servers are configured with different parameters.

There is no configuration management database (CMDB).

A CMDB is a database or repository that includes information about an organization’s hardware and software components and the relationships between those components. These components are referred to as configuration items (CIs). The absence of a CMDB indicates that required change approvals may not be obtained.

The answer choice “test and production servers are configured with different parameters” is incorrect. Test and production regions may run different parameters depending on the type of change being tested.

The answer choice “change management records are manually maintained” is incorrect. While keeping records manual may be inefficient, as long as the records are appropriately maintained, this is not a concern.

The answer choice “test and production environments are installed on the same server” is incorrect. If the test and production environments are logically separated, installing them on the same physical server has no adverse impact.

Configuration Management

Relevant Terms
Change Management
Configuration
Configuration Management
Database

Reference
7114.07
7114.08

How well did you know this?

Not at all

Perfectly

An online database management system for sales and receivables was recently expanded to include credit approval transactions. An evaluation of controls was not performed before implementation. If certain data elements were not defined in the expansion, the following problem could result:

Unlimited access to data and transactions

Unauthorized program execution

Manipulation of the database contents by an application program

Incomplete transaction processing

The correct answer is “incomplete transaction processing” because failure to define the program specification blocks (PSB) completely prevents the application program from accessing or changing data, resulting in incomplete processing.

The other answer choices are incorrect:

Unlimited access to data and transactions: Data element definition allows application programs to access or change data; therefore, no access takes place if they are not defined.

Unauthorized program execution: Without the program specification blocks, the application program cannot access data or execute.

Manipulation of the database contents by an application program: The desired manipulation of the database contents by an application program cannot take place if program specification blocks are not defined.

Testing the Design and Implementation of Change Control Policies

Relevant Terms
Processing
System
Transaction

Reference
7114.20

How well did you know this?

Not at all

Perfectly

Brian is an auditor who tests and evaluates an organization’s change management process. What is the most crucial control the auditor should validate to ensure system availability?

IT managers only authorize changes.

User acceptance testing (UAT) is documented and approved.

System capacity planning is reviewed.

Test plans and procedures are documented and followed.

Appropriate change management testing plans help identify and resolve issues with the system’s changes to ensure the system is available for business use.

The answer choice “IT managers only authorize changes” is incorrect. Change authorization is a significant change control but does not ensure system availability. Changes are required to be authorized by the change control board (CAB), not only by IT managers.

The answer choice “user acceptance testing (UAT) is documented and approved” is incorrect. The objective of UAT is to ensure that change is developed as per business requirements. A successful UAT does not provide assurance over system availability.

The answer choice “system capacity planning is reviewed” is incorrect. Capacity planning assists in forecasting computer resource requirements to ensure that adequate capacity exists when needed. Reviewing system capacity does not provide assurance over system availability.

Testing the Design and Implementation of Change Control Policies

Relevant Terms
Change Management
Documentation
System

Reference
7114.01
7114.02
7114.18
7114.19

How well did you know this?

Not at all

Perfectly

Camila, an auditor, is reviewing the patch management process. She noted that IT had not deployed the latest patch available for a business application. What is the best course of action for Camila?

To report an audit finding and present to management

To review and evaluate compensating security controls in place

To mandate IT to deploy the missing patch immediately

To evaluate the risk of deploying the patch to the business application

While patch management is vital to ensure the security of systems and applications, sometimes patches may adversely affect the system and the IT environment. Therefore, IT should evaluate the risk of deploying the patch and then test it, preferably on noncritical systems, to minimize the potential adverse impact on the IT environment.

The other answer choices are incorrect. The uninstalled patch identified by the auditor may not require an immediate installation. Therefore, the auditor should first evaluate the risk of deploying the patch before taking any further actions, such as reporting the finding, evaluating other controls, or mandating IT to deploy the patch immediately.

Patch Management

Relevant Terms
Mission-Critical System
Patch

Reference
7114.09
7114.10
7114.13

How well did you know this?

Not at all

Perfectly

Candace, an auditor, is auditing the change management process. She discovered that an application code was migrated to production without following the change management process. What would be the greatest concern for Candace?

The IT team did not detect the error during the post-implementation review.

User acceptance testing (UAT) was not performed on the code migration.

The change was implemented on an urgent business request.

The change approval board did not approve the code migration.

Unauthorized changes to production may lead to data breaches, data manipulation, fraudulent transactions, and system disruption.

The answer choice “the change was implemented on an urgent business request” is incorrect. Urgent business requests must follow the organization’s emergency change control procedures and be approved by the change approval board.

The answer choice “the IT team did not detect the error during the post-implementation review” is incorrect. While post-implementation reviews are essential, a lack of change authorization (preventive control) has a more significant impact on system functionality and availability.

The answer choice “user acceptance testing (UAT) was not performed on the code migration” is incorrect. The absence of UAT may cause system functionality problems and is a lesser concern as compared to change authorization.

Change Management

Relevant Terms
Change Management

Reference
7114.01
7114.02

How well did you know this?

Not at all

Perfectly

Coleen is an auditor reviewing the batch job failure list. The auditor noted that the business ran the job successfully during user acceptance testing (UAT) for one failed batch job. However, upon investigation, the auditor noted that the batch job was modified after UAT acceptance. Which control should Coleen recommend that would most effectively mitigate the issue?

Perform more thorough testing.

Validate that developers have access to the development environment only.

IT should review audit trails after code release.

Review access privileges for the application.

Validate that developers have access to the development environment only.

Developers should not have access to the production environment. If the code needs to be altered post-UAT, developers should follow the development process to make changes, and UAT should accept the change.

The other answer choices are incorrect as thorough testing, review of audit trails, and review of user access privileges would not prevent the developers from accessing the code after UAT is completed. The most crucial issue is that developers should not have access to the production environment.

Change Management

Relevant Terms
Testing

Reference
7114.01
7114.02

How well did you know this?

Not at all

Perfectly

Change management control policies should contain which of the following elements?

Require IT management to review, monitor, and approve all change requests

Assess what impact each change will have on system availability, security, maintainability, and integrity

Ensure proper testing of changes before the changes are implemented in a production environment

All of the answer choices are correct.

All of the answer choices are correct. Change management control policies put into place the proper processes and approval channels to make changes to an organization’s systems. At a minimum, they should include the following elements:

Formalized channels for requesting and approving changes to any of the organization’s information systems
Preventing unauthorized changes from occurring
Ensuring that any changes made do not impair or negatively impact the other functions of the system
Ensuring that the viability of the system as a whole is not impaired
Requiring appropriate testing of all changes before implementation to production environments occurs

Developing IS

Relevant Terms
Change Management
Implementation

Reference
7114.05

How well did you know this?

Not at all

Perfectly

ConfiguAn auditor is evaluating the change management process for an international organization. Which of the following is the greatest concern for the auditor?

Test and production servers are configured with different parameters.

Change management records are manually maintained.

There is no configuration management database (CMDB).

Test and production environments are installed on the same server.

There is no configuration management database (CMDB).

Configuration Management

Relevant Terms
Change Management
Configuration
Configuration Management
Database

Reference
7114.07
7114.08

How well did you know this?

Not at all

Perfectly

During a post-implementation review of an accounting information system (AIS), a CPA learned that an AIS with few customized features had been budgeted and scheduled to be installed over 9 months for $3 million (including hardware, software, and consulting fees). An in-house programmer was assigned as the project manager and had difficulty keeping the project on schedule. The implementation took 18 months, and actual costs were 30% over budget. With the project manager’s authorization, many features were added to the system on an ad-hoc basis. The end users are delighted with the new system. The steering committee, however, is dissatisfied with the scope creep and would like a recommendation to consider before approving the initiation of another large project. Based on those findings, the CPA should recommend implementing a:

contract management system.

budgeting system.

project timekeeping system.

change control system.

The correct answer is “change control system” because it is the process of requesting a change, reviewing the effectiveness of the change, approving the change, and implementing the change. Change control procedures include the following:

Approval of the change by the change control board; assign a project leader.

The project leader ensures all required signatures and authorities have been received for a given change.

Establish and assign schedules and tasks for individuals involved in the project.

All personnel involved in the project must adhere to the assigned work.

Test, approve, and implement the change.

The other answer choices are incorrect:

A contract management system is generally a software program(s) designed for storing and managing legal agreements such as contracts with vendors, leases, and licensing agreements to streamline administrative tasks.

Companies use a budgeting system to accomplish goals for growth and sustainability; major objectives include coordination, allocation of resources, and general planning for operations.

A project timekeeping system is designed to record time spent on tasks and is often used as a basis for billing work out to customers.

Change Management/Developing IS

Relevant Terms
Change Management

Reference
7114.01
7114.05

Each of the following projects would fall under the scrutiny of an entity’s change management policy, except:

updating a version of the entity’s existing software system.

installing a new module to an existing enterprise resource planning system already in place.

fixing a software bug after the platform release.

purging data from a financial application’s data cache.

Change management policies focus on managing and controlling changes to systems, processes, or configurations that have the potential to impact the organization’s operations, data integrity, security, or other critical aspects. Purging data from a data cache is not a system or process change that impacts an operation or critical aspect of the organization.

The other answer choices would fall under the scrutiny of an entity’s change management policy:

Updating a version of the entity’s existing software system involves making changes to the software that can affect its functionality, compatibility, and performance. These changes would be subject to change management to ensure a smooth transition and minimize disruptions.

Installing a new module to an existing enterprise resource planning system is a major change to an existing system and can impact business processes, data flow, and integration. Change management helps plan and execute the change.

Fixing a software bug after the platform release is a change to the software. Change management helps track and manage these changes to ensure that they do not introduce new issues or negatively impact the users.

Relevant Terms
Change Management

Reference
7114.01
7114.02

In the context of change control and risk assessment, what is the primary objective of analyzing risks associated with each change?

To highlight potential risks and emphasize their potential impact

To expedite the change implementation process by dismissing inherent risks

To prevent all changes with potential risks to maintain a risk-free environment

To identify and understand inherent risks for effective mitigation

Analyzing risks associated with each change is to identify and understand inherent risks to implement effective mitigation measures. This process helps ensure that changes are implemented with an awareness of potential risks and that appropriate measures are in place to manage those risks.

The other answer choices are incorrect:

To highlight potential risks and emphasize their potential impact: While identifying risks is an important part of the process, the goal is not to emphasize them but to understand and mitigate them effectively.

To expedite the change implementation process by dismissing inherent risks: Dismissing inherent risks without addressing them is not a sound approach. The objective is to address and mitigate risks proactively.

To prevent all changes with potential risks to maintain a risk-free environment: Avoiding all changes with potential risks is impractical and counterproductive. The aim is to manage and mitigate risks, not avoid them altogether.

Testing the Design and Implementation of Change Control Policies

Relevant Terms
Change Management
Inherent Risk
Risk Assessment

Reference
7114.19

In the systems development cycle, coding is:

part of the detailed design phase.

part of the data flow diagram.

a form of program maintenance.

part of the feasibility study.

part of the detailed design phase.

The correct answer is “part of the detailed design phase” because coding (of data, accounts, etc.) is a part of the detailed design stage, in which programs and data structures are developed, facilities are installed, and employees are trained.

The other answer choices are incorrect because they are not part of the systems development cycle, which consists of analysis, conceptual design, detailed design, implementation, and operation.

Change Management

Relevant Terms
Code
Data Flow Diagram (DFD)
Implementation
System Development Life Cycle (SDLC)

Reference
7114.02

IT operations management has implemented an automated problem and change management solution to manage and monitor problems and changes in the computer center. Management cannot track whether all problems that require changes are adequately monitored and resolved. What improvements should the IS auditor recommend?

A separate problem log should be maintained.

A separate change log should be maintained.

Each problem should be given a sequential problem number when a problem is reported.

The problem number should be cross-referenced between the problem log and the change log.

Separate logs, one for problem recording and the other for change recording, are usually maintained to monitor problems and changes. Since a problem may require a change, it would be appropriate to cross-reference the problem number in both the logs so that the changes can be tracked and monitored for status and resolution.

The answer choices “a separate problem log should be maintained” and “a separate change log should be maintained” are incorrect as separate logs will not indicate which problems required a change.

The answer choice “each problem should be given a sequential problem number when a problem is reported” is incorrect as the problem number needs to be referenced in the change log to monitor and track the problems.

Developing Information Systems

Relevant Terms
Change Management

Reference
7114.05

IT recently installed a vendor patch that caused a critical application to crash, resulting in significant downtime. What should the IS auditor do to reduce the likelihood of this happening again?

Install the patch as per the vendor instructions.

Test the patch before deploying it into production.

Approve the patch after a thorough risk assessment.

Obtain and review the organization’s change management policy.

The IS auditor should review and evaluate the change management policy and patch management procedures to determine the effectiveness of controls in the policy and procedures.

The other answer choices are incorrect as the patch installation, as per the vendor instructions, testing, and patch approval, should be performed by the IT and security team, not by the auditor.

Patch Management

Relevant Terms
Change Management
Patch
Risk Assessment

Reference
7114.09
7114.10
7114.11

Jennifer, an auditor, noted that the vendor released software patches for a critical system two months ago, but the organization had not yet implemented the patches. What should Jennifer do first?

Report an audit finding regarding the uninstalled patch.

Recommend that the patch should be tested and implemented immediately.

Recommend that new patches should be immediately implemented upon release

Review the patch management policy and assess the risk related to the vulnerabilities.

Jennifer should first review the existing patch management policy and determine whether current patch management control practices are adequate to address the risk related to the vulnerabilities.

Once Jennifer has reviewed the patch management policy and determined its effectiveness, she should evaluate the risk related to the vulnerability and then make relevant recommendations (other options) or raise a finding.

The answer choice “recommend that the patch should be tested and implemented immediately” is incorrect. The IS audit must first review and evaluate the patch management policy and subsequently validate whether IT has assessed the risk of not installing the new patch. Depending on the criticality of the patch, the patch may not require an immediate installation, as IT should prioritize the patching process in accordance with the criticality of the vulnerability.

The answer choice “recommend that new patches should be implemented immediately upon release” is incorrect. Before applying a vendor-released patch, the IT function should conduct a risk assessment to determine the likelihood and impact of the vulnerability that can be exploited. While vendors usually test the patches before release, IT should always perform required system and application testing before installing the patch to protect against potential system functionality or availability issues.

The answer choice “report an audit finding regarding uninstalled patch” is incorrect. The IS auditor should first review the patch management policy before reporting an audit finding.

Patch Management

Relevant Terms
Mission-Critical System
Patch

Reference
7114.10
7114.11
7114.13

Peter, an auditor, is reviewing the change management process. Peter noted that the change management methodology is not formally documented, and some changes failed during migration to production. What should Peter do next?

Recommend discontinuing changes to production until the change management process is formally documented.

Recommend management to review and document the change management process.

Report a finding in the audit report.

Perform a root cause analysis of the failed changes.

Peter should first validate that the failed changes were caused by problems in the change management process and not caused by other methods. Once the root cause has been determined, the auditor can provide appropriate recommendations to address the underlying issue.

The answer choice “report a finding in the audit report” is incorrect. A root cause analysis of the problem should be performed before reporting a finding to management.

The answer choice “recommend management to review and document the change management process” is incorrect. Peter should only make recommendations once the root cause has been determined to ensure that management addresses the issue appropriately.

The answer choice “recommend discontinuing changes to production until the change management process is formally documented” is incorrect. Change deployments may impact important system functionalities and security updates which should be deployed timely to avoid business interruption and system issues such as data breaches and unavailability. Therefore, it would not be viable to discontinue migrating changes to production.

Change Management

Relevant Terms
Change Management

Reference
7114.01
7114.02

Security administrators at a large organization have complained to IT leadership that they have been working long hours for the last few months to test and install patches as per patch management policy. What is the best course of action for IT leadership?

Ensure that automatic updates are pushed to all production servers.

Defer the patching process until additional personnel are hired.

Put testing on hold and place reliance on vendor testing.

The current patch management process should be sustained.

Patch management is an essential step in maintaining secure systems. Failure to install critical patches on time exposes the organization’s IT and data assets to exploitation by unauthorized users, resulting in confidentiality, integrity, and availability issues. The IT leadership should determine the alternative course of action, such as hiring contractual workers or increasing headcount, to ensure patches are tested and applied timely.

The answer choice “ensure that automatic updates are pushed to critical production servers” is incorrect. Patches must be appropriately tested before updates are pushed to the servers.

The answer choice “defer the patching process until additional personnel are hired” is incorrect. Failure to install critical patches on time exposes the organization’s IT and data assets to exploitation by unauthorized users, resulting in confidentiality, integrity, and availability issues.

The answer choice “put testing on hold and place reliance on vendor testing” is incorrect. While vendors usually test the patches before release, IT should always perform required system and application testing before installing the patch to protect against potential system functionality or availability issues.

Patch Management

Relevant Terms
Patch

Reference
7114.09
7114.10

The IT department deploys operating system patches as the vendor directs. Which of the following should be the most important concern for an auditor? IT does not inform end users of system downtime during patch installation. IT does not assess whether the patch will add any value to the operating system functionality. User training for the latest patch has been significantly delayed. IT does not test new patches since the vendor has already performed patch testing.

IT does not test new patches since the vendor has already performed patch testing. While vendors usually test the patches before the release, IT should always perform required system testing before implementing the patch to protect against system functionality or availability issues. The answer choice “IT does not inform end users of system downtime during patch installation is incorrect.” End users should be informed of system unavailability to minimize business interruption during system downtime; however, untested patches impose serious risk to the business as they cause system availability and security concerns. The answer choice “user training for the new patch has been significantly delayed” is incorrect. Operating system patches usually do not require user training. The answer choice “IT does not assess whether the patch will add any value to the operating system functionality” is incorrect. Testing the patch is more critical than determining whether the patch adds value to operating system functionality. | Patch Management ## Footnote Relevant Terms Operating System Patch Reference 7114.13

The major purpose of change management implementation is to: address people's concerns about the change. develop tools to implement the change. facilitate change agents in the organization. allocate resources to implement the change.

allocate resources to implement the change. Once management has decided to change a process or service, the next step is to allocate resources to implement the change, regardless of its difficulty in implementation. The other answer choices are secondary because no change can be performed without resources. Addressing people's concerns about the change is a cultural and long-term effort. Tools are a part of resources. Change agents are usually identified before the change implementation. | Change Management ## Footnote Relevant Terms Change Management Reference 7114.01 7114.02

What is a critical factor when selecting test cases for evaluating change control policies? Choosing test cases that are unrelated to the organization's IT environment Focusing exclusively on high-risk change items Ignoring success criteria to maintain flexibility in the testing process Ensuring test cases represent realistic changes occurring in the organization

Ensuring test cases represent realistic changes occurring in the organization When selecting test cases for evaluating change control policies, it is crucial to ensure that they accurately reflect the changes occurring within the organization. Realistic test cases help assess policy effectiveness in practical operational scenarios. The other answer choices are incorrect: Selecting test cases unrelated to the organization's IT environment would not provide meaningful insights into policy effectiveness. It is not a key consideration. While high-risk changes should be included in the test cases, focusing solely on high-risk items is not advisable. A comprehensive set of test cases should cover a range of change types, including low-risk changes, to ensure policies are effective in various scenarios. Ignoring success criteria would hinder determining whether policies have been effectively followed and whether changes have been implemented successfully. Clear success criteria are essential for evaluation. | Testing the Design and Implementation of Change Control Policies ## Footnote Relevant Terms Change Management Test Case Reference 7114.19

What is a critical factor when selecting test cases for evaluating change control policies? Ignoring success criteria to maintain flexibility in the testing process Focusing exclusively on high-risk change items Choosing test cases that are unrelated to the organization's IT environment Ensuring test cases represent realistic changes occurring in the organization

Which of the following is a primary consideration before deploying an operating system patch to business applications? Completion of stress testing by the development team Obtaining approval from the information security officer The patch should be installed first in the testing environment. Ensuring the application owner’s approval is obtained

Ensuring the application owner’s approval is obtained Application owners should approve business application changes to ensure minimal impact to business from the patch installation. The other options are incorrect as stress testing, the information security officer’s approval, and any additional testing are secondary considerations when deploying operating system patches to the business applications. | Patch Management ## Footnote Relevant Terms Operating System Patch Reference 7114.10 7114.11 7114.13

Which of the following is the primary consideration when deploying emergency changes? The change was requested by the end user to generate a routine report. The change relates to adding new application functionality. The software vendor released a noncritical security patch. The change would have a significant impact on the business applications.

The change would have a significant impact on the business applications. Changes that are expected to have a considerable impact on the business are usually deployed using emergency change management procedures to minimize system outages. The answer choices “the change relates to adding new application functionality” and “the change was requested by the end user to generate a routine report” are incorrect. Generally, routine system reports and adding new system functionality are a part of regular business operations and would not require an emergency change. The answer choice “the software vendor released a noncritical security patch” is incorrect. Noncritical security patches do not pose a significant risk to the business and generally do not require emergency deployment. | Patch Management ## Footnote Relevant Terms Change Management Reference 7114.10 7114.11 7114.12

Which of the following statements about patch management is true? Patches should be tested after installation. Critical patches by a vendor must be implemented immediately upon release. Patches should only be tested on the most critical systems. Patches should be tested before installation.

Patches should be tested before installation. IT should adequately test patches before installation, preferably on noncritical systems where possible, to minimize the potential adverse impact on the IT environment. The answer choice “patches should be tested after installation” is incorrect as patches should be tested prior to implementation to ensure they do not adversely impact the IT environment. The answer choice “critical patches by a vendor must be implemented immediately upon release” is incorrect. Before installing a vendor-released patch, the IT team should conduct a risk assessment to determine the likelihood of the vulnerability being exploited and the impact of the vulnerability on the organization’s systems and applications. While vendors usually test the patches before release, IT should always perform required system and application testing installing the patch to protect against potential system functionality and availability issues. The answer choice “patches should only be tested on the most critical systems” is incorrect. IT should adequately test patches before installation, preferably on noncritical systems where possible, to minimize the potential adverse impact on the IT environment. | Patch Management ## Footnote Relevant Terms Mission-Critical System Patch Reference 7114.11

Which of the following statements is false about the configuration management database (CMDB)? All change requests should be logged in the CMDB. Changes in infrastructure components should be reflected in the CMDB. Access to the CMDB should be provisioned for all support teams. The CMDB includes information about software only.

The CMDB includes information about software only. A configuration management database (CMDB) is a database or repository that includes information about an organization’s hardware and software components and the relationships between those components. These components are referred to as configuration items (CIs). The other answer choices are incorrect as they are true statements about the CMDB: All change requests should be logged and updated in the CMDB as the change progresses from one stage to another until production deployment. When an infrastructure component changes, associated configuration management records should be updated in the CMDB. Access to the CMDB should be provisioned for all support teams to resolve incidents and problems efficiently. | Configuration Management ## Footnote Relevant Terms Configuration Management Database Reference 7114.07 7114.08

Which of the following would best provide a detailed and structured review of program logic? Acceptance Direct conversion Test data processing Walkthrough

Walkthrough A walkthrough is a structured process in software development where the program's logic, code, and design are reviewed by a group. During a walkthrough, the team goes through the program step by step or module by module, examining the logic, algorithms, and overall design of the program. The other answer choices are incorrect: Acceptance is focused on determining if the software meets the specified requirements and is ready for deployment. It is not primarily a review of program logic. Direct conversion refers to the process of changing from an old system to a new system without a detailed review of program logic. Test data processing is a phase of software testing where input data is processed through the software to evaluate its functionality and correctness. While it does test program logic, it is not done in a structured review format. ## Footnote Relevant Terms Software Reference 7223.12