Free Access ISC CISSP New Release

In a change-controlled environment, the activity that is most likely to lead to unauthorized changes to production programs is promoting programs to production without approval. A change-controlled environment is an environment that follows a specific process or a procedure for managing and tracking the changes to the hardware and software components of a system or a network, such as the configuration, the functionality, or the security of the system or the network. A change-controlled environment can provide some benefits for security, such as enhancing the performance and the functionality of the system or the network, preventing or mitigating some types of attacks or vulnerabilities, and supporting the audit and the compliance activities. A change-controlled environment can involve various steps and roles, such as:

• Change request, which is the initiation or the proposal of a change to the system or the network, by a user, a developer, a manager, or another stakeholder. A change request should include the details and the justification of the change, such as the scope, the purpose, the impact, the cost, or the risk of the change.
• Change review, which is the evaluation or the assessment of the change request, by a group of experts or advisors, such as the change manager, the change review board, or the change advisory board. A change review should include the decision and the feedback of the change request, such as the approval, the rejection, the modification, or the postponement of the change request.
• Change development, which is the implementation or the execution of the change request, by a group of developers or programmers, who are responsible for creating or modifying the code or the program of the system or the network, according to the specifications and the requirements of the change request.
• Change testing, which is the verification or the validation of the change request, by a group of testers or analysts, who are responsible for checking or confirming the functionality and the quality of the code or the program of the system or the network, according to the standards and the criteria of the change request.
• Change deployment, which is the installation or the integration of the change request, by a group of administrators or operators, who are responsible for moving or transferring the code or the program of the system or the network, from the development or the testing environment to the production or the operational environment, according to the schedule and the plan of the change request.

Promoting programs to production without approval is the activity that is most likely to lead to unauthorized changes to production programs, as it violates the change-controlled environment process and procedure, and it introduces potential risks or issues to the system or the network. Promoting programs to production without approval means that the code or the program of the system or the network is moved or transferred from the development or the testing environment to the production or the operational environment, without obtaining the necessary or the sufficient authorization or consent from the relevant or the responsible parties, such as the change manager, the change review board, or the change advisory board. Promoting programs to production without approval can lead to unauthorized changes to production programs, as it can result in the following consequences:

• The code or the program of the system or the network may not be fully or properly tested or verified, and it may contain errors, bugs, or vulnerabilities that may affect the functionality or the quality of the system or the network, or that may compromise the security or the integrity of the system or the network.
• The code or the program of the system or the network may not be compatible or interoperable with the existing or the expected components or features of the system or the network, and it may cause conflicts, disruptions, or failures to the system or the network, or to the users or the customers of the system or the network.
• The code or the program of the system or the network may not be documented or recorded, and it may not be traceable or accountable, and it may not be aligned or compliant with the policies or the standards of the system or the network, or of the organization or the industry.

Business line management and IT staff members are essential for developing effective test scenarios for DR test plans. Business line management can provide the business requirements, priorities, and impact analysis for the critical processes and functions that need to be recovered in the event of a disaster. IT staff members can provide the technical expertise, resources, and support for the recovery of the IT infrastructure and systems. Together, they can design realistic and comprehensive test scenarios that can validate the effectiveness and readiness of the DR plan. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 7: Security Operations, page 411. CISSP Practice Exam – FREE 20 Questions and Answers, Question 15.

 Logical access controls are the policies, procedures, and mechanisms that regulate who can access an information asset and what actions they can perform on it. The primary goal of logical access controls is to restrict access to an information asset based on the principle of least privilege, which means that users should only have the minimum level of access required to perform their tasks. Ensuring integrity, restricting physical access, and ensuring availability are also important goals of information security, but they are not the primary goal of logical access controls. References: [CISSP CBK Reference, 5th Edition, Chapter 5, page 263]; [CISSP All-in-One Exam Guide, 8th Edition, Chapter 5, page 235]

Security credentials are the objects that should be removed first prior to uploading code to public code repositories. Security credentials are any data or information that can be used to authenticate or authorize a user or a system, such as passwords, keys, tokens, certificates, or hashes. Security credentials should never be exposed or stored in plain text in the source code, as they can be easily compromised by attackers who can access the public code repositories. Security credentials should be removed or replaced with dummy values before uploading code to public code repositories, and stored securely in a separate location, such as a vault or a configuration file. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 8: Software Development Security, page 419; [Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 8: Software Development Security, page 559]