Which of the following is a not a preventative control?
Click on the arrows to vote for the correct answer
A. B. C. D.C.
Running the source comparison program between control and current source periodically allows detection, not prevention, of unauthorized changes in the production environment.
Other options are preventive controls.
Source: Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, chapter 6: Business Application System Development, Acquisition, Implementation and Maintenance (page 309).
Preventative controls are designed to prevent security incidents from happening. They are proactive measures that are put in place to stop potential security breaches before they occur. Of the options provided, three are examples of preventative controls, while one is not.
A. Deny programmer access to production data - This is an example of a preventative control. By denying programmers access to production data, organizations can prevent accidental or intentional changes to data that could result in security incidents.
B. Require change requests to include information about dates, descriptions, cost analysis, and anticipated effects - This is also an example of a preventative control. By requiring detailed information about changes, organizations can prevent unauthorized changes and ensure that changes are properly vetted before being implemented.
C. Run a source comparison program between control and current source periodically - This is another example of a preventative control. By periodically comparing the current source to the control source, organizations can identify unauthorized changes and prevent security incidents from occurring.
D. Establish procedures for emergency changes - This is not a preventative control. Emergency change procedures are designed to provide a rapid response to security incidents that have already occurred. While emergency change procedures are an important part of any security program, they are not considered preventative controls.
In summary, option D, establishing procedures for emergency changes, is not a preventative control. The other options provided, denying programmer access to production data, requiring detailed change requests, and running source comparison programs, are all examples of preventative controls that organizations can use to prevent security incidents from occurring.