CISSP · Question #1076
The quality assurance (QA) department is short-staffed and is unable to test all modules before the anticipated release date of an application. What security control is MOST likely to be violated?
The correct answer is D. Change management. When QA cannot fully test application modules before release, the change management process is violated because untested code is being moved into production without proper validation and approval controls.
Question
The quality assurance (QA) department is short-staffed and is unable to test all modules before the anticipated release date of an application. What security control is MOST likely to be violated?
Options
- ASeparation of environments
- BProgram management
- CMobile code controls
- DChange management
How the community answered
(31 responses)- A6% (2)
- B3% (1)
- C13% (4)
- D77% (24)
Why each option
When QA cannot fully test application modules before release, the change management process is violated because untested code is being moved into production without proper validation and approval controls.
Separation of environments refers to keeping development, testing, and production environments distinct, which is not directly violated by the QA staffing shortage or incomplete testing.
Program management relates to the overall governance and oversight of IT programs and projects, not the specific control around testing and approving changes before deployment.
Mobile code controls refer to security policies governing the use of executable content such as Java applets or scripts that can be transferred across networks, which is unrelated to the QA testing scenario.
Change management requires that all changes to systems, including application releases, go through a formal process that includes testing, review, and approval before deployment to production. Releasing an application with untested modules bypasses the verification and validation gates inherent in change management, introducing uncontrolled risk into the production environment. This directly violates the principle that changes must be fully assessed and authorized prior to implementation.
Concept tested: Change management controls and release validation process
Source: https://www.nist.gov/publications/guide-information-technology-security-services-nist-special-publication-800-35
Topics
Community Discussion
No community discussion yet for this question.