Providing security certification for a new system should include an evaluation of the configuration management practices prior to the system’s implementation. Configuration management is a process that ensures that the system’s components are identified, controlled, and tracked throughout the system’s lifecycle. Configuration management helps to maintain the security and integrity of the system by preventing unauthorized or unintended changes. End-user authorization to use the system in production is not part of security certification, but rather a post-implementation activity that grants access rights to authorized users. External audit sign-off on financial controls is not part of security certification, but rather a verification activity that ensures that the system complies with financial reporting standards. Testing of the system within the production environment is not part of securitycertification, but rather a validation activity that ensures that the system meets the functional and performance requirements. References:

CISA Review Manual, 27th Edition, pages 449-4501

CISA Review Questions, Answers& Explanations Database, Question ID: 2572