I bumped into this question in Luke’s group today.
What is the primary purpose of change management?
A. To prevent unwanted reductions to security
B. To allow management to review all changes
C. To delay the release of mission-critical patches
D. To improve the productivity of end-users
Charlie Lindell’s comment encloses a screenshot as follows:
The General Change Management Process
Any change request has to be documented, evaluated, approved, implemented, reported and communicated so that the risk of the change can be managed to prevent unwanted reductions to security. As changes are documented, they can be reviewed for lessons learned or continuous improvement.
The “Correct” Answer
All the benefits stated above are critical factors to improve the productivity of end-users, that contributes to the ultimate goal of security, to deliver values. So, in terms of the primary “purpose”, I had chosen D because that is a step further from avoiding loss to delivering values, but I have a second thought.
I have to admit that we usually request for changes to respond to certain security events or issues passively so that we can keep our security objectives unharmed. We don’t do change management proactively to primarily improve the productivity of end-users.
To proactively deliver values, we can evaluate the change request from both the perspectives of threats and opportunities. The security objectives must be achieved first by handling the threats and then the opportunities that contribute to the business objectives.
As all the security efforts are directed by objectives or CIA specifically, I consider the option “To allow management to review all changes” a means, not an end or purpose.
In conclusion, I will choose “to prevent unwanted reductions to security” as the primary purpose of change management.
The real world is volatile and fuzzy
As a CISSP aspirant, learning information security is not about the right or wrong answers. What it matters is about the concept, justification, logic, and reasoning process, because it’s much complicated in the real world situation. No single correct answer or solution will solve the question or problem.
Think about it!
So, how do we distinguish between the following concept:
- goal and purpose
- overall and primary
- threat and opportunity
- security and risk
This is an interesting question that deserves your thinking.