Which TWO of the following are the MOST effective controls to prevent unauthorized changes to production data?
Ensures changes are authorized before implementation.
Why this answer
Requiring change management approval for all production changes is a preventive control that ensures every modification to production data is formally authorized, reviewed, and documented before implementation. This directly prevents unauthorized changes by enforcing a gatekeeping process where only approved changes proceed, reducing the risk of data integrity breaches. Without this control, even with other safeguards, an attacker or insider could bypass technical controls by simply requesting a change through official channels.
Exam trap
ISACA often tests the distinction between preventive and detective controls, and the trap here is that candidates mistakenly choose audit logging (a detective control) as a preventive measure because it provides evidence of changes, but it does not stop unauthorized changes from occurring.