Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu
Isaca Discussions
exam questions

Exam CISA All Questions

View all questions & answers for the CISA exam
Go to Exam

Exam CISA topic 1 question 982 discussion

Actual exam question from Isaca's CISA
Question #: 982
Topic #: 1
[All CISA Questions]

An IS auditor notes that an organization's DevOps team has both production and developer access. The head of IT operations agrees that there is a segregation of duties concern but considers both types of access to be necessary for the team. Which of the following is the auditor's BEST recommendation?

  • A. Implement weekly management reviews to confirm that no change was both developed and deployed by the same engineer.
  • B. Require DevOps engineers’ access to production systems to be reauthorized quarterly by the head of IT operations.
  • C. Have developer access removed from the DevOps engineers.
  • D. Implement an automated control to prevent deployment if the developer is also trying to deploy the change.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by blarzz58 at Dec. 21, 2022, 9:03 a.m.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
Staanlee
Highly Voted 1 year, 10 months ago
Selected Answer: D
The correct answer is D, Implement an automated control to prevent deployment if the developer is also trying to deploy the change. In this scenario, the IS auditor has identified a segregation of duties concern, which is a principle that is intended to ensure that no single individual has complete control over a process or system. By having both production and developer access, the DevOps team may be able to both develop and deploy changes to the organization's systems, potentially leading to conflicts of interest or the potential for fraud or abuse. To address this concern, the auditor's best recommendation would be to implement an automated control that prevents deployment if the developer is also trying to deploy the change. This would ensure that there is a separation between the development and deployment of changes, and it would help to reduce the risk of potential conflicts of interest or abuse.
upvoted 7 times
SuperMax
1 year, 1 month ago
Option A (Implement weekly management reviews) is not the best recommendation because it relies on manual reviews, which can be time-consuming, error-prone, and may not prevent issues in real-time. Option B (Reauthorize access quarterly) is a step in the right direction, but it may not provide real-time control and may still allow for periods where a single individual has both types of access. Option C (Remove developer access) is too restrictive and might hinder the DevOps team's ability to work efficiently and collaboratively. Option D is the best choice because it suggests implementing an automated control. This control would prevent deployment if the same engineer is attempting to both develop and deploy the change simultaneously.
upvoted 3 times
...
...
Swallows
Most Recent 4 months ago
Selected Answer: A
Option D, "Implement automated controls to prevent deployment if developers are also trying to deploy changes," is generally considered a good security measure, but is not directly a specific audit measure for the specific issue. Also, it is not necessary to completely prevent developers from deploying changes, but appropriate management and audit mechanisms are important. Therefore, the auditor should recommend weekly management reviews aimed at ensuring separation of duties.
upvoted 1 times
...
FAGFUR
1 year ago
Selected Answer: B
The best recommendation in this situation is to implement a periodic reauthorization process for DevOps engineers' access to production systems. Option B suggests reauthorizing access quarterly, allowing the head of IT operations to periodically review and confirm the necessity of the access. This approach provides a balance between the need for access and the segregation of duties concerns. It acknowledges the necessity of both types of access for the DevOps team but introduces a control mechanism to regularly review and validate that access is still appropriate. This helps mitigate the risk associated with the potential conflict of duties. Option B is generally considered a more practical and balanced approach to managing the segregation of duties concern in DevOps environments. It introduces a control without completely restricting necessary access, allowing for ongoing operational efficiency while maintaining a level of oversight.
upvoted 2 times
...
blarzz58
1 year, 11 months ago
Answer D ı guess
upvoted 2 times
...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel