An information security manager has been asked to develop a change control process. What is
the FIRST thing the information security manager should do?
A.
Research best practices
B.
Meet with stakeholders
C.
Establish change control procedures
D.
Identify critical systems
Explanation:
No new process will be successful unless it is adhered to by all stakeholders; to the extent
stakeholders have input, they can be expected to follow the process. Without consensus
agreement from the stakeholders, the scope of the research is too wide; input on the current
environment is necessary to focus research effectively. It is premature to implement procedures
without stakeholder consensus and research. Without knowing what the process will be the
parameters to baseline are unknown as well.