A security engineer is given new application extensions each month that need to be secured prior
to implementation. They do not want the new extensions to invalidate or interfere with existing
application security. Additionally, the engineer wants to ensure that the new requirements are
approved by the appropriate personnel. Which of the following should be in place to meet these
two goals? (Select TWO).

A.
Patch Audit Policy

B.
Change Control Policy

C.
Incident Management Policy

D.
Regression Testing Policy

E.
Escalation Policy

F.
Application Audit Policy

Explanation:
A backout (regression testing) is a reversion from a change that had negative consequences. It
could be, for example, that everything was working fi ne until you installed a service pack on a
production machine, and then services that were normally available were no longer accessible.
The backout, in this instance, would revert the system to the state that it was in before the service
pack was applied. Backout plans can include uninstalling service packs, hotfi xes, and patches,
but they can also include reversing a migration and using previous firmware. A key component to
creating such a plan is identifying what events will trigger your implementing the backout.
A change control policy refers to the structured approach that is followed to secure a company’s
assets in the event of changes occurring.