Domain 1: General Security Concepts Module 5 of 61

Change Management and Security Impact

Security+ Domain 1 — General Security Concepts B — Zero Trust and Cryptography 10–14 minutes

What the Exam Is Really Testing

Change management is not just an ITIL concept that lives in operations textbooks. CompTIA tests it because poorly managed changes are one of the most common causes of security incidents.

The exam tests whether you understand that every change to a system, application, or process has security implications — and whether you know the process to manage those implications before they become incidents.

You will see scenarios where a change was made without following proper procedures, and the question asks what went wrong. You will also see scenarios where a change needs to be made, and the question asks what should happen first.

The Change Management Process

Change management provides a structured approach to transitioning systems, processes, or configurations from one state to another. Every change follows a lifecycle:

  1. Request: Someone identifies a need for change and submits a formal request
  2. Impact analysis: The change is evaluated for its effect on security, operations, and dependent systems
  3. Approval: Designated stakeholders review and approve or reject the change
  4. Testing: The change is validated in a non-production environment
  5. Implementation: The change is deployed during an approved maintenance window
  6. Verification: Post-implementation testing confirms the change works as expected
  7. Documentation: The change and its results are recorded for future reference
If a question describes a change that skipped any of these steps, that is the vulnerability the question is testing.

Approval Processes and Stakeholders

Not every change requires the same level of approval. Change management categorizes changes by risk level:

  • Standard changes: Pre-approved, low-risk, routine changes. Example: applying a routine security patch to a test server. These follow a documented procedure without requiring individual approval each time
  • Normal changes: Require formal review and approval. Example: migrating a database to a new server. These go through the full change advisory board (CAB) process
  • Emergency changes: Bypass normal approval workflows due to urgency. Example: deploying a critical vulnerability patch during an active exploitation. These still require documentation after the fact

Key Stakeholders

CompTIA expects you to know who is involved in change decisions:

  • Change Advisory Board (CAB): Cross-functional group that reviews and approves changes. Includes IT, security, business stakeholders
  • Change owner: The individual responsible for the change request
  • Technical reviewer: Evaluates technical feasibility and impact
  • Security reviewer: Evaluates security implications of the proposed change
  • Business owner: Represents the business unit affected by the change

Impact Analysis

Impact analysis is the security-critical step. Before any change is approved, the team must assess:

  • Security impact: Does this change open new attack vectors? Does it disable existing controls? Does it change the attack surface?
  • Dependency impact: What other systems depend on the system being changed? Will the change break integrations?
  • Availability impact: Will the change require downtime? How long? Which users are affected?
  • Compliance impact: Does the change affect regulatory compliance? Will it violate audit requirements?
  • Data impact: Is data at risk during the change? Are backups current?
On the exam, when a scenario describes a change that caused an unexpected security issue, the root cause is almost always an inadequate impact analysis.

Technical Implications of Changes

CompTIA specifically tests these technical considerations in change management scenarios:

Allow Lists and Deny Lists

Changes to allow lists (whitelists) and deny lists (blacklists) have immediate security impact. Adding an application to an allow list permits its execution. Removing a domain from a deny list allows access to it. These changes must be reviewed for security implications.

Downtime and Service Restarts

Many changes require service restarts or system reboots. This creates a window of vulnerability:

  • Security services may be temporarily unavailable during restarts
  • Users may lose connectivity, creating availability concerns
  • Systems may come back in a default or less-secure state

Legacy Applications

Changes that work fine on modern systems may break legacy applications. Legacy systems often:

  • Use outdated protocols that new configurations may disable
  • Depend on specific library versions that updates may change
  • Lack support for modern authentication methods
  • Cannot be easily tested because no test environment exists

Dependencies

Systems rarely exist in isolation. Changing one system can cascade across the environment:

  • A firewall rule change may block traffic to dependent services
  • A certificate renewal on one server may break trust chains
  • An OS upgrade may invalidate security agent compatibility
  • A DNS change may break application integrations

Backout Plans

Every change must have a backout plan — a documented procedure to reverse the change if it fails or causes unexpected issues.

A backout plan includes:

  • Steps to reverse the change to the previous state
  • Time estimate for the reversal
  • Decision criteria for when to trigger the backout
  • Roles and responsibilities during the reversal
  • Verification steps to confirm the system is restored

Without a backout plan, a failed change can leave systems in an unstable or insecure state with no clear path to recovery.

Maintenance Windows

Changes should be implemented during scheduled maintenance windows — predefined time periods when the business impact of downtime is minimized.

  • Maintenance windows are typically during off-peak hours
  • Users and stakeholders are notified in advance
  • Support staff are available during the window to address issues
  • The window includes time for testing and potential rollback

Implementing changes outside maintenance windows increases risk because support staff may not be available, users may be affected unexpectedly, and there may not be sufficient time for rollback.

Test Results and Documentation

Changes must be tested before production deployment. Test results serve two purposes:

  1. Functional validation: Does the change work as intended?
  2. Security validation: Does the change introduce new vulnerabilities?

Documentation must capture the entire lifecycle — from request through implementation to post-change verification. This documentation serves as an audit trail, a reference for similar future changes, and evidence for compliance reviews.

Pattern Recognition

Security+ questions on change management follow these patterns:

  • Root cause identification: "A patch was deployed and broke a critical application." What went wrong? Insufficient testing or impact analysis
  • Process ordering: "What should be done FIRST before implementing a change?" Impact analysis or approval, depending on the scenario
  • Emergency change handling: "A critical vulnerability is being actively exploited." Emergency change procedures allow faster deployment but still require post-implementation documentation
  • Missing step identification: "An administrator made a configuration change that caused a security incident." The question tests which step was skipped

Trap Patterns

Common wrong answers and why they are wrong:

  • Skipping testing for urgency: Even emergency changes require some validation. The exam favors process over speed, except when the question explicitly describes an active threat
  • Confusing impact analysis with risk assessment: Impact analysis evaluates the effect of a specific change. Risk assessment evaluates threats to the organization broadly. They are related but different activities
  • Implementing changes without a backout plan: If the question mentions no rollback procedure, that is the gap. Every change needs a defined reversal path
  • Assuming all changes need CAB approval: Standard (pre-approved) changes follow documented procedures without individual CAB review. Only normal and emergency changes require explicit approval

Scenario Practice

Question 1

A system administrator deploys a firewall rule change during business hours without submitting a change request. The change blocks traffic to a critical business application, causing a four-hour outage that affects customer transactions.

What is the PRIMARY failure in this scenario?

A. The firewall hardware was insufficient to handle the new rule configuration
B. The administrator did not follow the change management process before deploying
C. The business application should have been designed with more redundancy built in
D. The security team should have implemented real-time firewall monitoring tools

Answer & reasoning

Correct: B

The administrator bypassed the change management process entirely — no change request, no impact analysis, no approval, no maintenance window. Following the process would have identified the dependency on the business application before the change was deployed.

The hardware, application design, and monitoring are secondary concerns. The root cause is the process failure.

Question 2

An organization needs to apply a critical security patch to a production database server. The patch vendor notes that the update requires a server restart and may affect applications using older authentication protocols.

What should the security team do FIRST?

A. Apply the patch immediately during business hours to minimize vulnerability exposure
B. Perform an impact analysis to identify dependent systems and legacy applications
C. Schedule the patch for the next available maintenance window without further review
D. Deploy the patch to the production server and monitor for errors after installation

Answer & reasoning

Correct: B

The vendor specifically warns about older authentication protocol compatibility. This demands an impact analysis to identify which applications use those protocols before proceeding. Deploying without this analysis risks breaking dependent systems.

Even critical patches should go through impact analysis. Scheduling without review or deploying and hoping for the best are both process failures.

Question 3

During an approved maintenance window, an infrastructure team deploys a major network configuration change. Thirty minutes into the implementation, critical monitoring systems stop receiving data from multiple network segments.

What should the team do NEXT?

A. Continue the implementation and troubleshoot the monitoring issues afterward
B. Contact the monitoring vendor for emergency support to diagnose the data loss
C. Execute the backout plan to restore the previous network configuration state
D. Extend the maintenance window to allow additional time for troubleshooting efforts

Answer & reasoning

Correct: C

When a change causes unexpected critical failures, the backout plan should be executed. This is exactly what backout plans are designed for — restoring the previous known-good state when a change goes wrong.

Continuing forward with broken monitoring means flying blind. Troubleshooting during a maintenance window risks exceeding the window. The safe answer is always to roll back first, then investigate.

Key Takeaway

Every change has security implications. Change management exists to ensure those implications are identified, evaluated, and addressed before the change is deployed. The process includes impact analysis, stakeholder approval, testing, maintenance windows, and backout plans. On the exam, when something goes wrong after a change, the answer almost always points to a step that was skipped. Know the process, identify the gap, and pick the answer that addresses the process failure — not the technical symptom.

Next Module Module 6: Cryptographic Concepts and Methods