During a recent audit, it was discovered that the employee who deploys patches also approves the patches. The audit found there is no documentation supporting
the patch management process, and there is no formal vetting of installed patches. Which of the following controls should be implemented to mitigate this risk?
(Select TWO).

A.
IT contingency planning

B.
Change management policy

C.
Least privilege

D.
Separation of duties

E.
Dual control

F.
Mandatory job rotation