Example 1: Allow List Blocks the Installer
Scenario: An IT admin deploys a new application via remote push. The software distribution system reports 0% success across 200 workstations. No errors β just silent failure.
What happened: The organization uses an allow list. The new installer's executable was never added to the approved list. The OS silently blocked execution per policy. The push "worked" β the installer was delivered β but it couldn't run.
Key point: When deploying new software in an allow-list environment, updating the application control policy is a prerequisite β not an afterthought. Add the installer hash/signature to the allow list BEFORE the deployment window.
Example 2: The Dependency That Wasn't in the Plan
Scenario: A network engineer upgrades the VPN gateway software from v4 to v6. The upgrade completes successfully. Two hours later, the monitoring system reports that 30 remote branches have lost VPN connectivity.
What happened: The VPN gateway v6 dropped support for an old IKE (Internet Key Exchange) negotiation mode used by the branch office routers β all of which were running 4-year-old firmware. The dependency (gateway version β branch firmware compatibility) was not in the change plan because no one knew about it.
Key point: Dependencies aren't always documented. Vendor release notes should be read fully β not just the headline features. The fix required emergency firmware updates to 30 branch routers, each needing its own change approval. A proper pre-change dependency analysis would have discovered this.
Example 3: Version Control Saves a Configuration
Scenario: During a firewall rule update, an admin accidentally overwrites the existing NAT rule table instead of appending to it. By the time the error is discovered, the change window has closed and users are complaining about broken internal services.
With version control: The admin opens the version control repository, retrieves the previous firewall configuration from 90 minutes ago, and restores it in 8 minutes. Services restored. Total impact: 12 minutes of degraded connectivity.
Without version control: The admin has to reconstruct 40+ NAT rules from memory, old screenshots, and email threads. 4 hours later, services are partially restored. Two rules are still wrong and not discovered until the next morning.
Without version control: The admin has to reconstruct 40+ NAT rules from memory, old screenshots, and email threads. 4 hours later, services are partially restored. Two rules are still wrong and not discovered until the next morning.
Key point: Version control for configurations (not just code) is essential. It turns a potential hours-long disaster into a quick, clean restore.
Exam Scenario 1: "Allow list vs. deny list"
Question: A company wants the most restrictive application control policy. Only specific approved software should ever run. Which approach should they use?
A) Deny list β block all known malware
B) Allow list β only approved executables run
C) No policy β rely on endpoint antivirus
D) Deny list β because it's easier to manage than an allow list
Answer: B β Allow list
An allow list is the most restrictive option. Unknown software = blocked. A deny list allows anything not explicitly blocked, which means new or unknown threats can execute. For maximum security, use an allow list.
A) Deny list β block all known malware
B) Allow list β only approved executables run
C) No policy β rely on endpoint antivirus
D) Deny list β because it's easier to manage than an allow list
Answer: B β Allow list
An allow list is the most restrictive option. Unknown software = blocked. A deny list allows anything not explicitly blocked, which means new or unknown threats can execute. For maximum security, use an allow list.
Exam Scenario 2: "Scope of the change"
Question: During an approved 2-hour maintenance window to upgrade an email server, the technician discovers that the backup mail relay also needs a config update to work with the new email server version. What should the technician do?
A) Update the backup relay during the same window since it's related
B) Complete only the approved email server upgrade, document the relay issue, and submit a separate change request
C) Cancel the entire change and start over with both systems in scope
D) Update the relay first, then upgrade the email server
Answer: B
Scope discipline: complete what was approved, document what was discovered, submit separate requests for anything additional. The only exception is if the relay config update is trivially necessary and your change management policy explicitly allows minor scope adjustments to complete the primary change.
A) Update the backup relay during the same window since it's related
B) Complete only the approved email server upgrade, document the relay issue, and submit a separate change request
C) Cancel the entire change and start over with both systems in scope
D) Update the relay first, then upgrade the email server
Answer: B
Scope discipline: complete what was approved, document what was discovered, submit separate requests for anything additional. The only exception is if the relay config update is trivially necessary and your change management policy explicitly allows minor scope adjustments to complete the primary change.