Learn how to answer CISA exam questions on configuration and release management with this concise and accurate guide. Find out the correct answer and explanation for a sample question.
Table of Contents
Question
Which of the following should be of GREATEST concern to an IS auditor who is assessing an organization’s configuration and release management process?
A. The organization does not use an industry-recognized methodology.
B. Changes and change approvals are not documented.
C. There is no centralized configuration management database (CMDB).
D. All changes require middle and senior management approval.
Answer
B. Changes and change approvals are not documented.
Explanation
The lack of documentation for changes and change approvals is the greatest concern for an IS auditor, as it indicates a high risk of unauthorized, untested, or erroneous changes that could compromise the integrity, availability, and security of the information systems.
A configuration and release management process should ensure that all changes are properly recorded, authorized, tested, and approved before being implemented, and that the configuration items are accurately identified and tracked in a CMDB.
An industry-recognized methodology is desirable, but not mandatory, for a configuration and release management process. The level of management approval for changes depends on the impact and urgency of the changes, and may not always require middle and senior management involvement.
Reference
Isaca Certified Information Systems Auditor CISA certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Isaca Certified Information Systems Auditor CISA exam and earn Isaca Certified Information Systems Auditor CISA certification.