Certified Information Systems Auditor (CISA) — Question 98

An IS auditor notes that an organization's DevOps team has both production and developer access. The head of IT operations agrees that there is a segregation of duties concern but considers both types of access to be necessary for the team. Which of the following is the auditor's BEST recommendation?

Answer options

• A. Implement weekly management reviews to confirm that no change was both developed and deployed by the same engineer.
• B. Require DevOps engineers’ access to production systems to be reauthorized quarterly by the head of IT operations.
• C. Have developer access removed from the DevOps engineers.
• D. Implement an automated control to prevent deployment if the developer is also trying to deploy the change.

Correct answer: D

Explanation

The best recommendation is to implement an automated control to prevent deployment when the developer is also trying to deploy the change, as it directly addresses the segregation of duties concern without completely removing necessary access. The other options, while helpful, do not provide as effective a solution to prevent conflicts of interest during deployments.