A. Change control is the process of strictly controlling changes to a system or program. All changes should require authorization by the appropriate personnel, and when a system or program is changed, the changes should not be made to the copy of the program that is being used, but rather to a copy. And any changes must also be properly reflected in all of the related documentation to ensure that changes have a minimal impact on processing and results in minimal risk to the system.
Program change control comprises: (1) maintaining records of change authorizations, code changes, and test results; (2) adhering to a systems development methodology (including documentation); (3) authorizing changeovers of subsidiary and headquarters' interfaces; and (4) restricting access to authorized source and executable codes.
B. Frequently, the purpose of database reviews is to determine if: (1) users have gained access to database areas for which they have no authorization, and (2) authorized users can access the database using programs that provide them with unauthorized privileges to view and/or change information.
C. The purpose of compliance reviews is to determine whether an organization has complied with applicable internal and external procedures and regulations.
D. The purpose of network security software is to provide logical controls over the network.
