Certificate of Cloud Security Knowledge (CCSK) — Question 85

CCM: A hypothetical start-up company called "ABC" provides a cloud based IT management solution. They are growing rapidly and therefore need to put controls in place in order to manage any changes in their production environment. Which of the following Change Control & Configuration Management production environment specific control should they implement in this scenario?

Answer options

• A. Policies and procedures shall be established for managing the risks associated with applying changes to business-critical or customer (tenant)-impacting (physical and virtual) applications and system-system interface (API) designs and configurations, infrastructure network and systems components.
• B. Policies and procedures shall be established, and supporting business processes and technical measures implemented, to restrict the installation of unauthorized software on organizationally-owned or managed user end-point devices (e.g. issued workstations, laptops, and mobile devices) and IT infrastructure network and systems components.
• C. All cloud-based services used by the company's mobile devices or BYOD shall be pre-approved for usage and the storage of company business data.
• D. None of the above

Correct answer: A

Explanation

The correct answer, A, emphasizes the establishment of policies and procedures to manage risks related to changes in critical applications and systems, which is essential for a growing organization. Option B focuses on restricting unauthorized software, which, while important, does not directly address change control. Option C pertains to pre-approval of services for mobile devices, not the overall management of changes in the production environment, making it less relevant. Option D is incorrect as it dismisses the need for any controls.