10/21/22, 4:02 PM Mock Test - Change management, configuration management, and patch management

Mock Test - Change management,

configuration management, and patch
management
Total points 21/29

Email *

[email protected]

Name

Yada Vittayabandit

Country

Thailand

https://docs.google.com/forms/d/e/1FAIpQLSd-bf76wnKn8qkrGr4VHZPt_SD4ohpXEw_nnUuXb-gJ3vfKyA/viewscore?viewscore=AE0zAgDE6U-… 1/24
10/21/22, 4:02 PM Mock Test - Change management, configuration management, and patch management

1. Which of the following is the most important consideration when 1/1

ensuring system availability during the change management process?

A. A documented procedure for sound change management

B. The change management procedure being followed consistently

C. Change only being authorized by the IT manager

D. User acceptance testing being properly documented

Feedback

Answer: B. The change management procedure is followed consistently

Explanation: The most important control for ensuring system availability is a
sound change management procedure that is followed consistently. Changes are
required to be authorized by business managers also, not only by IT managers.
User acceptance testing will not have any direct impact on system availability.

2. Which of the following is the best option for patch management to 1/1
ensure that a new patch will not impact system processing?

A. A patch should be tested prior to updating.

B. A user should be trained in the patch updating process.

C. A patch should be applied immediately and post-implementation testing should

be carried out.

D. A documented patch management process should be available.

Feedback

Answer: A. A patch should be tested prior to updating

Explanation: It is very important to test a patch before its implementation
because patches may impact other systems and operations.

https://docs.google.com/forms/d/e/1FAIpQLSd-bf76wnKn8qkrGr4VHZPt_SD4ohpXEw_nnUuXb-gJ3vfKyA/viewscore?viewscore=AE0zAgDE6U-… 2/24
10/21/22, 4:02 PM Mock Test - Change management, configuration management, and patch management

1/1

3. What is the best way to find evidence of unauthorized changes in a

production system?

A. Log reviews

B. Compliance testing

C. Forensic reviews

D. Utilization reports

Feedback

Answer: B. Compliance testing

Explanation: Compliance testing will help to determine whether a change
management process is applied consistently and whether changes are
appropriately approved. A forensic review is a specialized investigation for
criminal cases. Logs would help identify the changes; however, to determine
authorization, compliance testing of the change management process should be
conducted.

https://docs.google.com/forms/d/e/1FAIpQLSd-bf76wnKn8qkrGr4VHZPt_SD4ohpXEw_nnUuXb-gJ3vfKyA/viewscore?viewscore=AE0zAgDE6U-… 3/24
10/21/22, 4:02 PM Mock Test - Change management, configuration management, and patch management

1/1
4. A review of the change management process indicates that the
process is not fully documented and also that some migration processes
failed. What should the next step for the IS auditor be?

A. Try to get further information about the findings through root cause analysis.

B. Report the findings to the audit committee of the board.

C. Recommend reframing the change management process.

D. Recommend discontinuing the migration process until the change management

process is documented.

Feedback

Answer: A. Trying to get further assurance about the findings using root cause
analysis
Explanation: Before recommending any action, an IS auditor should gain
assurance that the deficiencies noted can be attributed to the failure of the change
management process rather than some other process failure.

https://docs.google.com/forms/d/e/1FAIpQLSd-bf76wnKn8qkrGr4VHZPt_SD4ohpXEw_nnUuXb-gJ3vfKyA/viewscore?viewscore=AE0zAgDE6U-… 4/24
10/21/22, 4:02 PM Mock Test - Change management, configuration management, and patch management

1/1
5. Which of the following procedures is used to restore a system to its
prior state?

A. Incident management

B. Capacity management

C. Backout procedure

D. Software development life cycle

Feedback

Answer: C. Backout procedure

Explanation: The backout procedure is one of the elements of the change
management process. The backout procedure is used to restore a system to an
earlier state, prior to the state of upgrade. This process is used when upgrades
are not successfully implemented and, as a result, some issues arise in the
system's functioning.

https://docs.google.com/forms/d/e/1FAIpQLSd-bf76wnKn8qkrGr4VHZPt_SD4ohpXEw_nnUuXb-gJ3vfKyA/viewscore?viewscore=AE0zAgDE6U-… 5/24
10/21/22, 4:02 PM Mock Test - Change management, configuration management, and patch management

1/1

6. Which of the following is considered a critical component in network

management?

A. Proxy troubleshooting

B. Topological structure

C. Change and configuration management

D. Network monitoring tools

Feedback

Answer: C. Change and configuration management

Explanation: Configuration management is considered one of the key
components in network management. It determines the network functionality
both internally and externally. It ensures that the setup and management of the
network are done properly. The other options, though important, are not as
critical as change and configuration management.

https://docs.google.com/forms/d/e/1FAIpQLSd-bf76wnKn8qkrGr4VHZPt_SD4ohpXEw_nnUuXb-gJ3vfKyA/viewscore?viewscore=AE0zAgDE6U-… 6/24
10/21/22, 4:02 PM Mock Test - Change management, configuration management, and patch management

1/1
7. Which of the following is an important aspect of patch management?

A. Conducting an impact analysis before the installation of a patch

B. The selection of a well-established vendor for patch management

C. The availability of a documented patch management process

D. The immediate installation of security patches

Feedback

Answer: A. Conducting an impact analysis before the installation of a patch

Explanation: It is very important to test a patch and conduct an impact analysis
before the installation of a patch. This is the most important aspect.

8. Which of the following provides the best evidence regarding the 1/1
effectiveness of a change control procedure?

A. Reviewing system-generated logs for the change made

B. Verifying the approvals for the changes conducted

C. Verifying the approvals for the change management policy

D. Verifying the approvals for the creation of privilege rights

Feedback

Answer: B. Verifying the approvals for the changes conducted

Explanation: The most effective method of determining the effectiveness of a
change control procedure is to determine what changes have been made and ask
for the approvals for such changes. The other options may not indicate consistent
implementation of the change control process.

https://docs.google.com/forms/d/e/1FAIpQLSd-bf76wnKn8qkrGr4VHZPt_SD4ohpXEw_nnUuXb-gJ3vfKyA/viewscore?viewscore=AE0zAgDE6U-… 7/24
10/21/22, 4:02 PM Mock Test - Change management, configuration management, and patch management

9. An IS auditor reviewing a change management procedure notes that 0/1

some code that was missed during the production release was
subsequently included in production without following the normal change
management process. Which of the following is the area of most concern?

A. The code was not released during the initial implementation.

B. The code was subsequently included without change management approval.

C. The error was not noted during user acceptance testing.

D. The error was not noted during final system testing.

Correct answer

B. The code was subsequently included without change management approval.

Feedback

Answer: B. The code was subsequently included without change management

approval
Explanation: The most important area of concern is the inclusion of code without
following the change management process. Unauthorized changes might impact
system performance. The other options are significant; however, the most critical
area of concern is option B.

https://docs.google.com/forms/d/e/1FAIpQLSd-bf76wnKn8qkrGr4VHZPt_SD4ohpXEw_nnUuXb-gJ3vfKyA/viewscore?viewscore=AE0zAgDE6U-… 8/24
10/21/22, 4:02 PM Mock Test - Change management, configuration management, and patch management

1/1

10. What is the most effective way to gauge the design effectiveness of a
change management process?

A. A sample test of change requests

B. A sample test of change authorization

C. Interviewing the staff

D. Conducting an end-to-end walk-through of the change management process

Feedback

Answer: D. Conducting an end-to-end walk-through of the change

management process
Explanation: To determine design effectiveness most effectively, you should
understand the end-to-end process of change control management. This
observation is the best way to ensure that the process is effectively designed. The
other options are not as effective as having a process walk-through.

https://docs.google.com/forms/d/e/1FAIpQLSd-bf76wnKn8qkrGr4VHZPt_SD4ohpXEw_nnUuXb-gJ3vfKyA/viewscore?viewscore=AE0zAgDE6U-… 9/24
10/21/22, 4:02 PM Mock Test - Change management, configuration management, and patch management

11. The IS auditor notes that the system malfunctioned after the 0/1
installation of a security patch. Which of the following is the best control
for such an incident?

A. Patch installation should be conducted only by the system administrator.

B. The change management procedure should be followed for patch installation.

C. The patch management process should be outsourced to third-party service

providers.

D. The approval of the business manager should be obtained for patch installation.

Feedback

Answer: B. The change management procedure should be followed for patch

installation
Explanation: The change management process includes approvals, testing,
scheduling, and rollback arrangements. It will help to prevent the system from
malfunctioning due to an unorganized process of patch installation; the other
options may not directly address the concern.

https://docs.google.com/forms/d/e/1FAIpQLSd-bf76wnKn8qkrGr4VHZPt_SD4ohpXEw_nnUuXb-gJ3vfKyA/viewscore?viewscore=AE0zAgDE6… 10/24
10/21/22, 4:02 PM Mock Test - Change management, configuration management, and patch management

12. What is the objective of code signing? 1/1

A. Ensuring that software has not subsequently modified

B. Ensuring smooth integration with other code-signed systems

C. Ensuring the integrity of the private key

D. Ensuring the availability of the system

Feedback

Answer: A. Ensuring that software has not subsequently modified

Explanation: The objective of code signing is to provide assurance that code is
generated from a reputable source and that the code has not been modified after
being signed. Code signing will not provide assurance with respect to any other
options. The process employs the use of a hash function to determine the
integrity and authenticity of the code.

13. What is the objective of library control software? 1/1

A. Providing assurance that program changes are authorized

B. Providing assurance that program changes are tested

C. Providing assurance that areas are automatically moved to production

D. Providing assurance that only developers can access a program

Feedback

Answer: A. Providing assurance that the program changes are authorized

Explanation: A program stored in a library can be accessed only by authorized
users. Also, it has provisions for reviewing and approving software changes.
Library control software ensures that only authorized changes are allowed.

https://docs.google.com/forms/d/e/1FAIpQLSd-bf76wnKn8qkrGr4VHZPt_SD4ohpXEw_nnUuXb-gJ3vfKyA/viewscore?viewscore=AE0zAgDE6U… 11/24
10/21/22, 4:02 PM Mock Test - Change management, configuration management, and patch management

14. Data is copied from a backup server to the production server. Which of 0/1
the following is the best way to ensure that no unauthorized software
moves to the production server?

A. Reviewing changes in software version control

B. Conducting a full backup

C. Carrying out a backup process manually

D. Reviewing the backup server log

Correct answer

A. Reviewing changes in software version control

Feedback

Answer: A. Reviewing changes in software version control

Explanation: Software version control will help to address this issue. An IS
auditor should review the version of the software that is moved to production.
This will help to determine that only the updated version is transferred to the
production server.

https://docs.google.com/forms/d/e/1FAIpQLSd-bf76wnKn8qkrGr4VHZPt_SD4ohpXEw_nnUuXb-gJ3vfKyA/viewscore?viewscore=AE0zAgDE6… 12/24
10/21/22, 4:02 PM Mock Test - Change management, configuration management, and patch management

15. Which of the following is the best compensatory control where 1/1
developers themselves release emergency changes directly to production?

A. Changes should be logged and approved on the next business day.

B. Developers should only be allowed to do changes during office hours.

C. Second-level approval is required before a change is released.

D. Changes should be deployed only in the presence of the user.

Feedback

Answer: A. Changes should be logged and approved on the next business day
Explanation: Options B, C, and D are not feasible for releasing emergency
changes. The best compensatory control is to log all such changes and
subsequently approve those changes.

https://docs.google.com/forms/d/e/1FAIpQLSd-bf76wnKn8qkrGr4VHZPt_SD4ohpXEw_nnUuXb-gJ3vfKyA/viewscore?viewscore=AE0zAgDE6… 13/24
10/21/22, 4:02 PM Mock Test - Change management, configuration management, and patch management

16. An organization has changed the vendor maintaining critical 0/1

applications. In the new contract, the incident resolution time has been
modified. Which of the following is a major concern?

A. The impact of the modification is not considered in the disaster recovery

document.

B. The impact of the modification is not considered when determining the

recovery point objective.

C. The application owners are not aware of the modification.

D. The old service provider does not agree with the new resolution time.

Correct answer

C. The application owners are not aware of the modification.

Feedback

Answer: C. The application owners not being aware of the modification

Explanation: The major risk in this scenario is that application owners are not
aware of the modification. This can have serious repercussions on critical
business processes. Options A and B are important but not as critical as option C.

https://docs.google.com/forms/d/e/1FAIpQLSd-bf76wnKn8qkrGr4VHZPt_SD4ohpXEw_nnUuXb-gJ3vfKyA/viewscore?viewscore=AE0zAgDE6… 14/24
10/21/22, 4:02 PM Mock Test - Change management, configuration management, and patch management

17. Which of the following is the best control for configuration changes? 1/1

A. An adequate audit trail

B. Adequate training of personnel

C. Adequate documentation for configuration management

D. An adequate process of approval and review for critical changes

Feedback

Answer: D. An adequate process of approval and review for critical changes

Explanation: It is very important to follow the process of approval and review for
changes. It ensures proper authorization for critical changes and also enforces
separation of duties. It prevents unauthorized changes by any single employee.
The other options serve as good controls, but option D is considered the best for
processing configuration changes.

18. Which of the following is a major concern in a change management 1/1

process?

A. Different configurations for the test and production systems

B. The non-availability of manual change management records

C. The non-availability of a configuration management database

D. Inadequate training of the personnel involved

Feedback

Answer: C. The non-availability of a configuration management database

Explanation: The configuration management database is used to monitor
configuration assets and their dependencies. Its absence may result in incorrect
approvals and configuration. Also, dependencies may be ignored during
configuration. The other options are not as significant as option C.

https://docs.google.com/forms/d/e/1FAIpQLSd-bf76wnKn8qkrGr4VHZPt_SD4ohpXEw_nnUuXb-gJ3vfKyA/viewscore?viewscore=AE0zAgDE6… 15/24
10/21/22, 4:02 PM Mock Test - Change management, configuration management, and patch management

19. Which of the following is a major concern for an in-house-developed 1/1

application?

A. A delay in implementation due to user acceptance testing

B. An inadequate budget estimate

C. A delay in implementation due to unit testing

D. A change request being initiated and approved by the same employee

Feedback

Answer: D. A change request being initiated and approved by the same

employee
Explanation: The major concern here is change requests being initiated and
approved by the same employee. This violates the principle of segregation of
duties. An employee should not be able to approve their own request. The other
options are not as significant as option D.

https://docs.google.com/forms/d/e/1FAIpQLSd-bf76wnKn8qkrGr4VHZPt_SD4ohpXEw_nnUuXb-gJ3vfKyA/viewscore?viewscore=AE0zAgDE6… 16/24
10/21/22, 4:02 PM Mock Test - Change management, configuration management, and patch management

20. Which of the following is the best process to use to test program 0/1
changes?

A. Reviewing samples of change authorization first and then analyzing the relevant
modified programs

B. Conducting a walk-through of the program changes from beginning to end

C. Reviewing samples of change authorization first and then analyzing the

supporting change authorization

D. Using automated tools to analyze change authorization for missing fields

Correct answer

C. Reviewing samples of change authorization first and then analyzing the

supporting change authorization

Feedback

Answer: C. Reviewing samples of change authorization first and then

analyzing the supporting change authorization
Explanation: Reviewing a sample of modified programs and then tracing back to
relevant supporting change authorization is the best way to test change
management control. The other options will not able to identify changes without
supporting authorization.

https://docs.google.com/forms/d/e/1FAIpQLSd-bf76wnKn8qkrGr4VHZPt_SD4ohpXEw_nnUuXb-gJ3vfKyA/viewscore?viewscore=AE0zAgDE6… 17/24
10/21/22, 4:02 PM Mock Test - Change management, configuration management, and patch management

21. Which of the following is the best control for emergency changes that 0/1
bypass the normal change process?

A. Subsequent review and approval of all emergency changes

B. Capturing the logs of all emergency changes

C. A documented process for emergency change management

D. Emergency changes being pre-approved

Correct answer

A. Subsequent review and approval of all emergency changes

Feedback

Answer: A. Subsequent review and approval of all emergency changes

Explanation: The best control is to review and approve such changes on the next
working day. Only capturing the logs will not serve the purpose. Logs should be
reviewed and approved for better control. Pre-approved changes are against best
practices. It is good to have documented processes of emergency change
management, but the best control is the subsequent review and approval of all
changes.

https://docs.google.com/forms/d/e/1FAIpQLSd-bf76wnKn8qkrGr4VHZPt_SD4ohpXEw_nnUuXb-gJ3vfKyA/viewscore?viewscore=AE0zAgDE6… 18/24
10/21/22, 4:02 PM Mock Test - Change management, configuration management, and patch management

22. What is the most important aspect for patch updating for an operating 1/1
system?

A. Post-update regression testing

B. Approval from the owner of the information system asset

C. Approval from the information security team

D. Adequate training for the system administrator

Feedback

Answer: B. Approval from the owner of the information system asset

Explanation: It is important to have the approval of the asset owner to avoid
serious business disruption due to patch updates. The other options are not as
significant as option B.

23. An IS auditor notes that IT personnel have not yet installed the patches 1/1
that were released 2 months ago. What should the IS auditor do?

A. Review the patch management policy and analyze the risks associated with
delayed updates

B. Recommend the immediate installation of the patch

C. Report the findings to the audit committee of the board

D. Determine the competency of the system administrator

Feedback

Answer: A. Review the patch management policy and analyze the risks
associated with delayed updates
Explanation: An IS auditor should determine whether policies are appropriate
and examine the risks associated with a delayed update. There may be a scenario
where the risk of system instability is greater than the risk of having a delayed
patch update. So, before reporting, the IS auditor should determine the overall
risk associated with a delayed update.

https://docs.google.com/forms/d/e/1FAIpQLSd-bf76wnKn8qkrGr4VHZPt_SD4ohpXEw_nnUuXb-gJ3vfKyA/viewscore?viewscore=AE0zAgDE6… 19/24
10/21/22, 4:02 PM Mock Test - Change management, configuration management, and patch management

1/1
24. What is the most likely reason for adopting emergency change
procedure?

A. The implementation of new functionality

B. User acceptance testing not being required for minor changes

C. A change having a significant impact on business operation

D. A change being released by a third-party service provider

Feedback

Answer: C. A change can have a significant impact on business operation

Explanation: In some scenarios, a change is required to be implemented as soon
as possible, for which normal change management procedures cannot be applied.
Such changes have a significant impact on business operations.

https://docs.google.com/forms/d/e/1FAIpQLSd-bf76wnKn8qkrGr4VHZPt_SD4ohpXEw_nnUuXb-gJ3vfKyA/viewscore?viewscore=AE0zAgDE6… 20/24
10/21/22, 4:02 PM Mock Test - Change management, configuration management, and patch management

0/1
25. Which of the following best establishes accountability for personnel
when it comes to emergency change?

A. Granting production access to individual IDs as and when required

B. The use of a generic firefighter ID for emergency changes

C. The use of dedicated personnel to carry out emergency changes

D. Pre-authorization for emergency changes

Correct answer

A. Granting production access to individual IDs as and when required

Feedback

Answer: A. Granting production access to individual IDs as and when

required
Explanation: The best process to use to establish accountability is the use of
individual IDs. When a change is complete, access can be removed. Generic IDs
do not establish accountability. It is not cost-effective to employ dedicated
resources for only emergency changes. Emergency changes require immediate
action and obtaining prior authorization may not be feasible.

https://docs.google.com/forms/d/e/1FAIpQLSd-bf76wnKn8qkrGr4VHZPt_SD4ohpXEw_nnUuXb-gJ3vfKyA/viewscore?viewscore=AE0zAgDE6… 21/24
10/21/22, 4:02 PM Mock Test - Change management, configuration management, and patch management

26. An IS auditor notes that the IT department has not updated a new 1/1
patch for an application because other security controls are in place. What
should the recommendation of the auditor be?

A. The overall risk should be analyzed before any recommendation is made.

B. Implement firewall rules.

C. Implement an intrusion detection system.

D. Provide adequate training to the system administrator.

Feedback

Answer: A. The overall risk should be analyzed before any recommendation is

made.
Explanation: The first step is to analyze the overall risk, and then appropriate
steps can be taken to address the risk.

27. An IS auditor notes that users are granted occasional authority to 1/1
change a system. What should the IS auditor's first step be?

A. Determine whether this process is allowed by policy

B. Determine whether the training of the users is adequate

C. Determine whether logs are captured for these changes

D. Determine the availability of compensatory controls for this process

Feedback

Answer: A. Determine whether this process is allowed by policy

Explanations: In a few scenarios, users are granted the authority to change a
system. However, the process should be followed as required by policy. If there
is no policy of granting access, then such a policy should be designed to ensure
that there are no unauthorized changes.

https://docs.google.com/forms/d/e/1FAIpQLSd-bf76wnKn8qkrGr4VHZPt_SD4ohpXEw_nnUuXb-gJ3vfKyA/viewscore?viewscore=AE0zAgDE6… 22/24
10/21/22, 4:02 PM Mock Test - Change management, configuration management, and patch management

28. An employee is granted authority to change the parameters of a 0/1

critical file. Which of the following is the most effective control on that
employee's activities?

A. Changes should be approved by supervisor.

B. Changes should be logged.

C. Changes should be approved by peers.

D. Changes should be approved by the employee themselves.

Correct answer

A. Changes should be approved by supervisor.

Feedback

Answer: A. Changes should be approved by supervisor

Explanation: The best method is having approval by the supervisor as a
requirement. This will prevent unauthorized changes to critical files.

https://docs.google.com/forms/d/e/1FAIpQLSd-bf76wnKn8qkrGr4VHZPt_SD4ohpXEw_nnUuXb-gJ3vfKyA/viewscore?viewscore=AE0zAgDE6… 23/24
10/21/22, 4:02 PM Mock Test - Change management, configuration management, and patch management

1/1
29. Which of the following is the fastest technique for determining data-
file change management controls?

A. One-to-one file checking

B. Access confidentiality

C. Transaction logs

D. Backup files

Feedback

Answer: C. Transaction logs

Explanation: Transaction logs are used as an audit trail, which contains a detailed
list of events with information such as the date and time of the event, the user ID,
and the terminal location. This will help to investigate exceptions in the shortest
possible time.

This content is neither created nor endorsed by Google. - Terms of Service - Privacy Policy

Forms

https://docs.google.com/forms/d/e/1FAIpQLSd-bf76wnKn8qkrGr4VHZPt_SD4ohpXEw_nnUuXb-gJ3vfKyA/viewscore?viewscore=AE0zAgDE6… 24/24