2.3.1. Business Processes Impacting Security Operations

💡 First Principle: Every IT change should flow through a structured process that evaluates security impact before implementation, ensuring accountability, reduced risk, and a paper trail. Change management exists because uncontrolled changes are one of the leading causes of security incidents and outages.

The exam expects you to recognize each process element and understand why it matters:

Approval process — changes require formal authorization from a Change Advisory Board (CAB) or designated authority. Emergency changes have expedited but documented approval — urgency doesn't eliminate the need for accountability.

Ownership — every change has a clear owner responsible for its outcome, security implications, and any remediation needed if the change causes problems.

Stakeholders — all parties affected by the change are identified and consulted. A firewall change affecting the development team requires dev team input, not just security team approval.

Impact analysis — assesses how the change affects security posture, availability, performance, and dependent systems. A seemingly minor DNS change can cascade across dozens of applications.

Test results — changes are validated in a non-production environment before deployment. Testing should include security validation — does the change introduce new vulnerabilities or weaken existing controls?

Backout plan — documented procedure to reverse the change if it fails or causes unexpected security issues. Without a backout plan, a failed change becomes a prolonged outage.

Maintenance window — changes scheduled during periods of minimal business impact. Critical security patches may justify emergency windows outside normal schedules.

Standard operating procedure (SOP) — step-by-step instructions ensuring consistency across personnel. SOPs prevent individual variation from introducing errors — every administrator follows the same process for the same type of change.

⚠️ Exam Trap: The backout plan is not optional. If a question describes a change implemented without a backout plan that then caused an outage, the missing backout plan is the answer to "what should have been done differently?"