What is NOT a goal of Change Management in IT Security?

A. Minimize Disruptions
B. Documentation
C. Increase Overheads
D. Validation and Testing

Answer: C

Explanation:

A. Minimize Disruptions

The primary operational goal of change management is to ensure that "improvement" doesn't lead to "downtime."

• The Mechanism: By requiring a formal review process, organizations can identify potential conflicts (e.g., patching a server during a peak business period) before they occur.

• The CISSP Goal: This protects the Availability pillar of the CIA Triad.

B. Documentation

Documentation provides accountability and a "trail" for future troubleshooting or auditing.

• The Requirement: Every change must be recorded, including the Requestor, the Approver, the Reason for the change, and the specific Steps taken.

• The Benefit: If a system fails three days after a change, administrators can consult the change log to see exactly what was modified, which significantly reduces the Mean Time to Repair (MTTR).

C. Increase Overheads

In IT management, "overhead" refers to the extra resources (time, money, personnel) required to complete a task.

• Why it's the Answer: While Change Management does require some extra effort (meetings, paperwork), the objective is to streamline operations and prevent the massive overhead caused by emergency fixes and unplanned outages. Security professionals aim to keep the process as lean as possible while still maintaining control.

D. Validation and Testing

Before a change is introduced to the "Live" or "Production" environment, its impact must be verified.

• The Process: Changes are first implemented in a Sandbox or Testing environment that mirrors production. This ensures the change achieves the desired result without causing unintended side effects (like breaking an application's connection to a database).

• The Rollback Plan: Every change must also include a "Back-out Plan"—a set of instructions on how to reverse the change immediately if something goes wrong during implementation.