You're working in a large enterprise where configuration changes to the core network switch happen just once a year. It's a massive move—because one misstep could knock out connectivity across multiple departments. This time, the proposed change introduces a new routing protocol and modifies VLAN segmentation.

Before making this change, which action should the security team take to BEST evaluate whether the switch update will negatively affect existing security controls?

A. Privacy Impact Assessment B. Configuration Audit C. Security Impact Analysis D. Vulnerability Scan

Let’s break it down.

A. Privacy Impact Assessment (PIA)

This is your go-to for any change that affects personal data (PII). If this change rerouted traffic to a database with customer data, sure—PIA would apply. But this is a network-level change, not a privacy one. Save PIA for GDPR, HIPAA, and third-party vendor reviews—not VLAN configs.

Eliminate it.

B. Configuration Audit

Tempting, right? A config audit checks current system settings against a known-good baseline. It’s great for spotting things like Telnet still being enabled or outdated SNMP versions. But it’s reactive. It checks what is, not what might happen.

Useful later—not now.

D. Vulnerability Scan

These tools (like Nessus or Qualys) identify known issues—open ports, missing patches, outdated firmware. But they don’t simulate architectural impact. They won’t warn you that a new VLAN config breaks your IDS monitoring or exposes your dev network to the internet.

Scans find flaws. They don’t predict consequences.

C. Security Impact Analysis (SIA) – The Correct Answer

SIA is the only option here that is:

• Predictive, not reactive

• Security-focused

• Performed before the change

• Strategic, not technical
  

It’s used to assess how a proposed change might affect existing controls and whether it introduces new risk. If you see “before implementation” and “security posture” in the same sentence on the CISSP exam—think SIA.

CISSP Mindset Takeaway:

If you’re thinking like a manager (and not just a tech), you’ll spot these clues every time:

• Privacy? Eliminate unless there’s user data involved.

• Audit or scan? Eliminate unless the change already happened.

• Impact on security posture? Go with SIA.

Want the full breakdown?

The complete 16-minute walkthrough of this scenario—with real-world examples, Domain mapping, and CISSP mindset tips—is included in our premium CISSP course.

This lesson is part of our “Study Notes and Theory” video series built to sharpen how you think, not just what you memorize.

Every change is a chance to prove you’re thinking like a manager.