Certified Information Systems Auditor (CISA) — Question 397

Code changes are compiled and placed in a change folder by the developer. An implementation team migrates changes to production from the change folder.
Which of the following BEST indicates separation of duties is in place during the migration process?

Answer options

• A. A second individual performs code review before the change is released to production.
• B. The implementation team does not have access to change the source code.
• C. The implementation team does not have experience writing code.
• D. The developer approves changes prior to moving them to the change folder.

Correct answer: B

Explanation

Option B is correct because it ensures that the implementation team cannot modify the source code, thereby maintaining a clear separation of duties. Option A, while important, does not directly indicate separation of duties since it focuses on code review rather than access restrictions. Option C is irrelevant to the concept of separation of duties, and Option D implies that the developer still has control over the changes, which undermines the separation of responsibilities.