Data security and governance: changes to the database should be permitted only under which access controls?

Introduction / Context:
Effective database governance blends organizational authorization with strong technical controls. Writing to production databases—be it schema changes or data updates—must be tightly controlled to prevent fraud, errors, and breaches. Defense in depth combines role-based approvals with personal authentication and audit trails.

Given Data / Assumptions:

• Departmental authorization ensures the organization approves the change (right role/function).
• Individual authentication proves the specific person executing the change.
• Both together reduce misuse risk and support accountability.

Concept / Approach:
Departmental codes (or role credentials) confirm that a change is within a business unit’s mandate; personal passwords (or multifactor credentials) bind actions to an individual. Combining them supports separation of duties, least privilege, and non-repudiation. Modern implementations use RBAC/ABAC, MFA, change tickets, and database auditing to enforce and record compliance.

Step-by-Step Solution:

Verification / Alternative check:
Standards and best practices (for example, SOX-style controls) require role authorization and individual authentication for sensitive changes, validating the inclusive answer.

Why Other Options Are Wrong:

• Only departmental or only individual control is insufficient for robust governance.
• Neither/None contradict basic security principles.

Common Pitfalls:
Sharing accounts in teams, bypassing approvals, or using generic passwords that defeat accountability; always enforce personal credentials plus role authorization.

Final Answer:
both (a) and (b)