An IS auditor is reviewing a change management process. A developer made an emergency change directly to production without following the standard change approval process. The change was later documented as a normal change. Which control weakness is MOST indicated by this scenario?
Trap 1: Absence of a rollback plan for emergency changes
Rollback plans are relevant but not the primary weakness highlighted.
Trap 2: Insufficient testing of emergency changes before deployment
Testing is important, but the main issue is unauthorized access.
Trap 3: Lack of a formal change documentation policy
Documentation was done, though improperly categorized.
- A
Inadequate segregation of duties between development and production environments
Direct production access by developers violates segregation of duties.
- B
Absence of a rollback plan for emergency changes
Why wrong: Rollback plans are relevant but not the primary weakness highlighted.
- C
Insufficient testing of emergency changes before deployment
Why wrong: Testing is important, but the main issue is unauthorized access.
- D
Lack of a formal change documentation policy
Why wrong: Documentation was done, though improperly categorized.