Developers currently have access to update production servers without going through an approval
process. Which of the following strategies would BEST mitigate this risk?

A.
Incident management

B.
Clean desk policy

C.
Routine audits

D.
Change management

Explanation:
Change Management is a risk mitigation approach and refers to the structured approach that is followed
to secure a company’s assets. This structured approach involves policies that should be in place and
technological controls that should be enforced.
Incorrect Answers:
A: Incident management refers to the steps followed when events occur (making sure controls are in
place to prevent unauthorized access to, and changes of, all IT assets). These are usually set in a policy
that has been approved.
B: Clean Desk Policy refers to information on a desk—in terms of printouts, pads of note paper, sticky
notes, and the like that can be easily seen by prying eyes and taken by thieving hands. The strategy
should be to encourage employees to maintain clean desks and to leave out only those papers that are
relevant to the project they are working on at that moment. All sensitive information should be put away
when the employee is away from their desk.
C: Routine audits are carried out after you have implemented security controls based on risk. These
audits include aspects such as user rights and permissions and specific events.

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis,
2014, pp. 10, 402