A security administrator is required to submit a detailed implementation plan and back out plan to
get approval prior to updating the firewall and other security devices. Which of the following types
of risk mitigation strategies is being followed?
A.
Change management
B.
Routine audit
C.
Rights and permissions review
D.
Configuration management
Explanation:
I think A is the correct answer
0
0
Change management is the structured approach that is followed to secure a company’s assets and not a risk mitigation strategy.
Application change management is the processing of managing any changes to an application. It can include updating an application by applying patches but it also commonly includes making any configuration change in the application.
Configuration management provides visibility and control of a system’s performance, as well as its functional and physical attributes. It is an operational control type that is put into action after a risk assessment has been done.
The correct answer is D.
0
0
This is a very interesting discussion. Lake, I don’t know why you say that change management is not a risk mitigation strategy. The risk is that the proposed changes to the firewall and other security devices may cause problems. That is a genuine risk, and it is mitigated by a change management control that requires a detailed implementation plan and a backout plan. The fact that the changes require approval also indicate that a change management process is being followed.
Your comments about configuration management seem correct, but the process being described here is about change, not about ongoing metrics of system performance. Certainly configuration management is needed, but the issue is change.
I agree with Greenhorn. I think the correct answer is A. At the same time, what Lake has said makes enough sense that it is just possible that the test makers (who have appeared to make many mistakes throughout the test) are expecting D, and an A would be scored as wrong. Looking at everything, I think A is a much better answer, but it isn’t crystal clear.
Any other opinions?
0
0
I have to say thank you to Lake for his great contribution on many questions. However, on this one I agree with the others and would go for answer A. Any change, update you do, is a risk, as the results may not be what you were expecting. By having a proper Change Management, you know how, when that change will be done and how you can roll back if it results are not what was expected.
Answer A for me.
0
0
I’m going with A on this one too. The main reason is that it states that he has to submit and get approval first. This was from Darril Gibson’s website.
“Configuration and change management. Configuration management often uses baselines to ensure that systems start in a secure, hardened state. Change management helps ensure that changes don’t result in unintended configuration errors.”
To be quite honest Change management, Patch management, and Configuration management can get a little confusing for me. Patch management deals with patches, Configuration management deals with configuration changes, but Change management is much more broad, and deals with any change. It also must go through a formal approval process.
0
0
I chose A
0
0