A project is in the execution phase, developing a mobile payment application. The project manager receives a report that a critical security vulnerability was discovered in the third-party authentication library used by the application. The library is widely used and has an available patch that requires upgrading to a newer version. However, upgrading the library will break compatibility with the existing user authentication database schema, requiring a database migration that was not planned. The project has a fixed budget and a tight deadline. The change control board (CCB) meets weekly, and the next meeting is in three days. The lead developer recommends applying the patch immediately without waiting for CCB approval, arguing that the security risk is high and the patch is straightforward. What is the BEST course of action for the project manager?
This follows the change control process and ensures proper assessment and approval.
Why this answer
Option D is correct because the project manager must follow the established change control process, even for urgent security patches, when the change introduces an unplanned database migration that impacts scope, budget, and schedule. Waiting for the next CCB meeting (in three days) allows proper assessment of the upgrade's impact on the authentication database schema and ensures all stakeholders approve the change. Applying the patch without approval violates the change management plan and could lead to uncontrolled scope creep and budget overruns.
Exam trap
The trap here is that candidates assume security vulnerabilities always justify bypassing change control, but the PM must balance urgency with process, especially when the patch introduces an unplanned database migration that affects the fixed budget and tight deadline.
How to eliminate wrong answers
Option A is wrong because escalating to the project sponsor bypasses the CCB's authority and the defined change control process; the sponsor is not typically empowered to grant exceptions for technical changes that affect the database schema. Option B is wrong because applying the patch immediately without CCB approval violates the change management plan, and the security vulnerability does not justify breaking the process when a CCB meeting is only three days away. Option C is wrong because dismissing the patch as acceptable risk ignores the critical security vulnerability in a widely used authentication library, which could lead to data breaches and compliance violations.