i need some help on revising this because i dont know if this is correct Can you determine whether a change control process was used?

Based on earlier discussion, I've chosen the outages involving Microsoft and CrowdStrike as examples. These disruptions significantly impacted business operationsmany systems stopped functioning entirely, showing only a blueprint screen after users downloaded the latest software update.

In the case of the July 19, 2024, CrowdStrike outage, there is strong evidence to suggest that a formal and effective change control process was not properly followed. The problem originated from a faulty Channel File 291 update deployed globally, which caused about 8.5 million Windows devices to crash. The update had coding errors, such as mismatched IPC Template Type inputs and missing array bounds checks, that should have been identified during pre-deployment testing. The rapid rollout and widespread impact indicate that standard safeguardslike sandbox testing, incremental deployment, and peer reviewwere either skipped or ignored. This reveals a failure in the structured oversight that a strong change control process is meant to ensure.

Therefore, CrowdStrike likely had a documented change control process in place. However, this incident demonstrates that even with a formal structure, the absence of rigorous execution and oversight can render that process ineffective. Updates to deeply integrated system componentslike the Falcon Sensor's interaction with the Windows kernelrequire elevated caution. When those protocols are rushed or loosely enforced, even routine changes can escalate into industry-wide disruptions. The July 2024 crash highlights not a lack of process but a failure in governance, discipline, and accountability within that process.

CrowdStrike's postmortem acknowledged that the update was pushed without a specific test for non-wildcard matching criteria in the 21st input field, which triggered an out-of-bounds memory read error (CrowdStrike, 2024). The fact that the update was rolled back within 78 minutes but still caused billions in damages underscores how even short-lived missteps can have long-term repercussions when change control is weak or absent.

Could the use of a change control process have affected the project outcome?

A properly executed change control process could have significantly altered the outcome of the CrowdStrike incident. Conducting sandbox testing before deployment would likely have identified technical flaws prior to reaching production environments. Additionally, an incremental rollout strategystarting with internal or non-critical systemswould have confined the impact and allowed quick and effective rollback procedures. Industry analyses have emphasized that deploying changes without isolation testing or gradual release protocols was a major operational oversight. This reflects widely accepted best practices and highlights how critical oversight and proactive risk analysis can prevent catastrophic failures.

Moreover, the outage revealed a gap in the shared responsibility model between vendors and clients. Many organizations affected by the crash had no control over the update, yet bore the brunt of its consequences. This reinforces the importance of vendor-side change control not only for internal resilience but also for protecting downstream dependencies. A well-governed change process would have included stakeholder impact assessments and communication protocols to alert clients of potential risks before deployment.

The CrowdStrike incident had a profound impact on project outcomes across multiple sectors, and it serves as a textbook example of how inadequate change control can derail even well-established systems. The flawed update to CrowdStrike's Falcon sensor triggered Blue Screen of Death (BSOD) errors on approximately 8.5 million Windows devices, affecting airlines, hospitals, banks, and public transit systems. The resulting outages led to canceled flights, disrupted medical appointments, and halted financial transactions, while IT teams scrambled to manually resolve the issue, delaying recovery and inflating labor costs.

Financial consequences were severe, with damages estimated in the billions. Delta Airlines alone is seeking $500 million in compensation, and CrowdStrike faces a class action lawsuit alleging misleading statements about its testing protocols. The company's stock price suffered, shaking investor confidence and raising questions about long-term valuation.

From a project management standpoint, the incident exposed breakdowns in quality assurance, deployment strategy, and stakeholder communication. A mature change control process would have mitigated these risks through sandbox testing, incremental rollout mechanisms, and proactive rollback strategies. It also underscored the importance of vendor accountability within the shared responsibility model; many clients did not influence the update but were directly impacted.

Strategically, this event has prompted organizations to reassess vendor selection criteria and to elevate change control from a procedural safeguard to a cultural imperative. Future implementations may benefit from integrating predictive analytics and anomaly detection into the change lifecycle to further strengthen pre-deployment visibility and risk forecasting.

Describe what a change control process at that company would have looked like.

At CrowdStrike, an ideal change control process would start with engineers submitting formal change proposals that detail the purpose and expected effects of the update. These proposals would then go through a multi-team impact assessment, evaluating technical, customer-facing, and infrastructure risks. High-risk changes would be escalated to a Change Advisory Board for approval. After approval, the update would be tested in isolated sandbox environments to confirm functionality and compatibility. If successful, the change would be implemented gradually to specified segments, beginning with internal users or test clients, while being monitored continuously. Automated rollback mechanisms would be prepared to activate if issues arise. Finally, a post-deployment review would document lessons learned and incorporate improvements into future release cycles. This comprehensive process would help CrowdStrike maintain system integrity, safeguard client environments, and strengthen its reputation as a trusted cybersecurity leader.

In response to the outage, CrowdStrike introduced its "Resilient by Design" framework, which includes foundational, adaptive, and continuous components aimed at improving operational resilience. This framework reflects a shift toward more rigorous change governance and continuous improvement, aligning with the principles of effective change control.

Defend my opinion with an example.

One example that strongly supports the need for a robust change control process is the 2020 Microsoft Azure outage. In this incident, a configuration change to the Azure DNS infrastructure was deployed without adequate pre-release testing and change validation. The result was a global disruption of services, including Microsoft Teams, Outlook, and Xbox Live, which impacted millions of users for several hours. Microsoft later acknowledged that a lack of staged rollout and rollback mechanisms contributed to the severity of the outage. This case mirrors the CrowdStrike failure in its scale and preventability, illustrating that even tech giants can suffer from bypassed protocols. The lesson here is clear: when change control is rigorously followed, the risk of widespread failure diminishes significantly.

Both incidents demonstrate that change control is not just a procedural formalityit's a strategic safeguard that protects business continuity, customer trust, and organizational reputation. Whether in cybersecurity or cloud infrastructure, the absence of structured change governance can turn routine updates into global crises.

Let me know if you'd like to integrate this with risk quantification models or align it with healthcare IT scenarios for your coursework. I can also help format it for APA or include citations if needed.