After completing this video, the learner will understand proper change management techniques, including performing security impact analysis and the use of versioning and baselining.
- [Voiceover] Information technology is in a constant state of change. It's hard to find an organization that relies on technology that doesn't go through changes every day. These changes may range from simple software updates to major system deployments. Information security professionals must understand the role that change management plays in protecting an organization. Change is a good thing. Progress comes from change, and organizations change on a daily basis. When it comes to information technology, organizations must take steps to ensure that change achieves business objectives without disrupting operations.
That's where change management comes into play. Change management processes ensure that organizations follow a standardized process for requesting, reviewing, approving, and implementing changes to information systems. Change management processes have the goal of minimizing the probability and impact of disruptions to normal IT services because of change. This includes an assessment of the security impact of every proposed change. The standard tool used for change management is the request for change, or RFC.
In an organization practicing strong change management, any individual who wants to change a system writes the change in an RFC that includes some standard elements. RFCs should include a description of the proposed change, an explanation of the expected impact, an assessment of the risk involved with the change, a plan for rolling back the change if it fails, the identity of the individuals or groups involved in the change, a proposed schedule for the change, and the configuration items affected by the change.
Once someone submits an RFC for review, it must be approved by a relevant authority. For minor changes, this my simply be the person's manager. In the case of major changes, the organization's change advisory board, or CAB, my review and approve the change. Some routine changes have preapproved status and may be made as soon as the RFC is submitted. For example, if storage engineers replace backup tapes each month, they might have a preapproved change in the change management system for that activity.
The engineers still submit an RFC, but the RFC is immediately approved due to the fact that it is for a preapproved change. Work may then begin on schedule, with no other approval required. Baselining is an important component of change management. A baseline is a snapshot of a system or application at a given point in time. Baselines may be used to assess whether a system has changed outside of an approved change management process. System administrators may compare a running system to a baseline to identify all changes to the system and then compare those changes to approved RFCs.
Versioning and version control are also a critical component of change management programs, particularly in the area of software and script development. Versioning assigns each release of a piece of software an incrementing version number that may be used to identify any given copy. These numbers are frequently written as three-part decimals, with the first number representing the major version of the software, the second number representing the major update number, and the third number representing minor updates. Apple's iOS uses this scheme, along with many other software products.
For example, i0S 9 is a major version of the iPhone and iPad operating system. When Apple periodically releases major updates to iOS, they add a second number to the version string, such as iOS 9.1. Then, if they make small updates to iOS 9.1 prior to the release of iOS 9.2, they add a third digit, such as iOS 9.1.1. Change management allows technology professionals to track the status of hardware, software, and firmware, ensuring that change occurs when desired but in a controlled fashion that minimizes risk to the organization.
- Implementing security controls and policies
- Performing a risk assessment
- Understanding the five risk management actions
- Managing third-party relationships (vendors, etc.)
- Mitigating risk with change management, audits and assessments, and more
- Building an incident response program
- Understanding digital forensics
- Providing security and compliance training
- Ensuring physical security
- Planning for business continuity and disaster recovery
- Matching controls to security goals