nerdexam
(ISC)2

CISSP · Question #1076

The quality assurance (QA) department is short-staffed and is unable to test all modules before the anticipated release date of an application. What security control is MOST likely to be violated?

The correct answer is D. Change management. When QA cannot fully test application modules before release, the change management process is violated because untested code is being moved into production without proper validation and approval controls.

Submitted by akirajp· Mar 5, 2026Software Development Security

Question

The quality assurance (QA) department is short-staffed and is unable to test all modules before the anticipated release date of an application. What security control is MOST likely to be violated?

Options

  • ASeparation of environments
  • BProgram management
  • CMobile code controls
  • DChange management

How the community answered

(31 responses)
  • A
    6% (2)
  • B
    3% (1)
  • C
    13% (4)
  • D
    77% (24)

Why each option

When QA cannot fully test application modules before release, the change management process is violated because untested code is being moved into production without proper validation and approval controls.

ASeparation of environments

Separation of environments refers to keeping development, testing, and production environments distinct, which is not directly violated by the QA staffing shortage or incomplete testing.

BProgram management

Program management relates to the overall governance and oversight of IT programs and projects, not the specific control around testing and approving changes before deployment.

CMobile code controls

Mobile code controls refer to security policies governing the use of executable content such as Java applets or scripts that can be transferred across networks, which is unrelated to the QA testing scenario.

DChange managementCorrect

Change management requires that all changes to systems, including application releases, go through a formal process that includes testing, review, and approval before deployment to production. Releasing an application with untested modules bypasses the verification and validation gates inherent in change management, introducing uncontrolled risk into the production environment. This directly violates the principle that changes must be fully assessed and authorized prior to implementation.

Concept tested: Change management controls and release validation process

Source: https://www.nist.gov/publications/guide-information-technology-security-services-nist-special-publication-800-35

Topics

#change management#SDLC#quality assurance#security testing

Community Discussion

No community discussion yet for this question.

Full CISSP Practice