Code Migration: Separation of Duties in CISA Exam

A.

The BEST option that indicates separation of duties during the migration process is option A, where a second individual performs code review before the change is released to production.

Separation of duties is a fundamental principle of internal controls and involves dividing responsibilities for critical functions among multiple individuals to reduce the risk of errors, fraud, or other malicious activities. In the context of software development, separation of duties is particularly important in ensuring that changes to software code are properly reviewed and tested before being implemented in production environments.

Option B, where the developer approves changes prior to moving them to the change folder, is not an effective way of implementing separation of duties since it does not involve a separate individual verifying the code changes. This approach can lead to situations where the developer approves their own changes, increasing the risk of errors or malicious activity going undetected.

Option C, where the implementation team does not have experience writing code, is not an effective separation of duties measure since it does not address the need for an independent verification of the code changes.

Option D, where the implementation team does not have access to change the source code, is not an effective separation of duties measure either since it does not address the need for an independent verification of the code changes.

In contrast, option A involves a separate individual performing a code review to ensure that the changes are properly documented, tested, and meet the required coding standards. This approach helps ensure that code changes are thoroughly vetted and tested before being implemented in production, reducing the risk of errors, fraud, or malicious activity.