Exam CISSP topic 1 question 117 discussion

Violated the "Release Control" of Change Management. Release Control Once the changes are finalized, they must be approved for release through the release control procedure. An essential step of the release control process is to double-check and ensure that any code inserted as a programming aid during the change process (such as debugging code and/or backdoors) is removed before releasing the new software to production. This process also ensures that only approved changes are made to production systems. Release control should also include acceptance testing to ensure that any alterations to end-user work tasks are understood and functional.

This is the most viable answer for the specific keywords “security controls”. Is program management a security control?

Release from lower to high environment

A. Change management

The security control that is most likely to be violated in this scenario is: A. Change management. Change management involves implementing processes and controls to ensure that changes to the application, including updates and patches, are properly authorized, tested, and implemented in a controlled manner. It ensures that changes to the application do not introduce security vulnerabilities or compromise its integrity.

A. "The CISSP common body of knowledge asserts that change management systems should manage changes related to the entire life cycle of a system including design, development, testing, evaluation, implementation, distribution, and ongoing maintenance." https://securitythinkingcap.com/change-management-and-how-it-is-essential-to-your-security/#:~:text=Change%20management%20is%20a%20key,significant%20benefits%20to%20an%20organization.

The security control that is most likely to be violated in this scenario is "Change management." Change management is a process that is designed to ensure that changes to systems or applications are made in a controlled and authorized manner, minimizing the risk of disruption or compromise. Testing is an important part of the change management process, as it helps to identify and address any security issues that may be introduced as a result of a change. If the QA department is short-staffed and cannot test all modules before the anticipated release date of an application, it is likely that some changes will not be adequately tested, which could result in security issues being introduced into the application.

The new app hasnt been released to production yet. CM only kicks in once app is deployed to prod and we are in ops/maintenance phase

D. Correct answer Mobile code controls is most likely to be violated if the quality assurance (QA) department is short-staffed and unable to test all modules before the anticipated release date of an application. Mobile code controls refers to security measures that are put in place to ensure that code from external sources, such as third-party libraries or open-source components, is properly vetted before it is used in an application. Without proper testing, it is possible that malicious code or vulnerabilities could be included in the application, which would compromise its security.

I agreed with A. Shouldn't be C. What Is Program Management? Program management refers to managing all processes associated collectively with individual projects, such as looking into the staff, and work-related actions, aligning multiple projects with the company's objectives and reporting on status updates and progress. It also oversees the resource management plan and plans for involved projects regarding strategies and change management. reference : https://www.simplilearn.com/what-is-program-management-article The Change Management control can be re-designed to match the release control strategy. reference : https://cloud.google.com/architecture/devops/devops-process-streamlining-change-approval

to test all modules before the anticipated release date is change management

C is correct

How can they violate CM if they didn't do all tests? This doesn't make sense. Vote for C.

A. Change management - can't be this because the solution is not released/ in production yet B. Separation of environments - it's security control, but the question is about testing C. Program management - this makes sense, but the question doesn't word well. Not sure if program management has official control but if testing all the modules is agreed upon, and if the product is released, it's clearly a violation of what was agreed for the program scope. I would ask to raise risk and get an endorsement from management if this happens. D. Mobile code controls - doesn't align with the question

I am thinking this does align with C PM-11 MISSION/BUSINESS PROCESS DEFINITION Page last updated: Control Description The organization: Defines mission/business processes with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and Determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until achievable protection needs are obtained. PM-11 MISSION/BUSINESS PROCESS DEFINITION Control Description The organization: Defines mission/business processes with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and Determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until achievable protection needs are obtained.

Answer is correct. Program management is not a "security control"

is this the initial release date? seems like it would be PM