Certified Information Security Manager (CISM) — Question 209

Which of the following change management procedures is MOST likely to cause concern to the information security manager?

Answer options

• A. Users are not notified of scheduled system changes.
• B. Fallback processes are tested the weekend before changes are made.
• C. The development manager migrates programs into production.
• D. A manual rather than an automated process is used to compare program versions.

Correct answer: C

Explanation

The correct answer is C because the migration of programs into production by the development manager can bypass essential security checks, creating potential vulnerabilities. Options A and D also present concerns, but they are less direct in impacting security than the uncontrolled migration in C. Option B is a precautionary measure that actually enhances security rather than posing a risk.