Introduction

When a business begins to use a change information resource (software, hardware, networks, system documentation, and operating procedures and environment) for any reason, it should be managed according to a specific process called a “control process” fixed in advance so that the transition is accomplished in an organized way in all its steps from the review to the authorization, test, implementation, and release of the changed resource.

In addition to the change management procedures, the control process should assign responsibilities and authorities to all the business staff involved.

Types of Change

Several types of change exist, based on their importance and their nature:

  • Emergency change is a change that should be evaluated and implemented as soon as possible after the occurrence of a disaster or a damaging incident, and it is implemented as a solution.
  • Standard change is a low-risk change in which a specific procedure to follow is usually already documented, and which is generally pre-approved to make the process shorter.
  • Major change is a high-risk change with potential financial consequences. The change request in this case should be comprehensive with appropriate financial arguments and necessary hierarchic approvals.
  • Normal change is a considerable change in a service or IT infrastructure and needs to be reviewed and approved by the change advisory board prior to its implementation.

Change Management Process

The change management process includes all the steps that start from a change identification, change request, request review, and prioritization by the change review board, evaluation through impact analysis, change approval or rejection, change testing, implementation, and finally a post-implementation review and request closing.

Roles and Responsibilities

Depending on the business, its change policy, its capacities, and its structure, the main roles related to change management are:

The change requestor is the person or department initiating the change.

The change review board consists of a group of advisors, including different business stakeholders and led by the change manager that review change requests, take decision upon them and make sure of a successful change implementation and follow-up.

The change manager is the person responsible for the proper execution of the change management process, whose mission is to change requests status, lead the review board, coordinate change, and make activity reports.

Some businesses have, in addition, such specific personnel as change developer, change implementer, change controller, and/or change scheduler.

Configuration

Change controls configuration is an integrative step of the change management process that includes the justified proposal, test, implementation, review, update (whether upgrade or modification), and audit of the information system change. It concerns any information resource, such as the operating system, application, routers, protocols, ports, accounts, firewalls; whether the change is a new setting configuration, an emergency change, or a correction of existing errors.

Only qualified and authorized personnel can proceed to change controls configuration if their roles and responsibilities are defined according to the business documentation. For instance, a developer can have a restricted role that does not allow him to change a software for security reasons. The other way around, all the information resources should be configured in a way that allows the use of the least functionality necessary to their business function and limits other functionalities that are optional or not required.

Documentation

Any change request should be documented, as along with the authorized person decision on it, which can be an approval or a rejection, and the consequences of that change. The request should be made through a standardized and central system.

Regarding the change consequences, information resources, policies and procedures should be updated after any change approval and old documentation should be processed based on the business’s internal policy for it. Indeed, a business might decide to archive the old documentation while another business might choose to destroy this documentation, either instantly or periodically.

There are several documents specific to information security change management that a business is encouraged to adopt in order to ensure an effective security after implementing changes in the information resources:

An inventory that is up to date with the current information resources, including all the details to ensure effective accountability, such as serial number, license information, manufacturer, physical location, and so forth and that allows reporting, tracking and audit.

A change management plan that defines the roles, responsibilities, processes, and policies supporting change in the information resource level, by giving details about how to implement the change according to the change management process, how to update the settings configuration, versions, and security baselines, how to maintain the inventory, how to develop, test, and control working environments and how to elaborate, apply, and maintain change documentation.

A change management policy that enables an official change control procedure for the business software, hardware, or network or any other information resource for an optimal security. It is applied in practice by the elaboration of written standards and procedures that support change. 

Security Impact Analysis

Security impact analysis has a double purpose. First, it aims to forecast the effects of change through potential scenarios and security consequences on information resources. Second, it aims to assess the potential costs generated by the change. Compliance with regulations and standards is an important aspect to consider at this stage.

Reviewing security documentation and assessing risk are common tasks in order to understand the change consequences on the controls and its impact and to define potential new controls. Indeed, being aware of the system and network architecture is the first step to seeing potential security violations, such as malware installation.

When there are several changes requested at the same time or, alternatively, a prioritization is needed according to their importance and impact, the emergency, and workload they involve.

Testing

Before implementing any change, tests should be performed, preferably in a closed environment such as an operational system taken off-line or replicated, which mainly depends on the business capacities. A controlled ideal environment that reflects reality is also required in order to make sure that the tests are transferable to the operational environment. This is an important step to reduce as much as possible the effects of change so that it does not affect the business process by making it longer, for instance, to assess its impact on operations and security  and to make sure that only authorized changes are made.

CISSP Training – Resources (InfoSec)

Versioning

When software is changed or updated, the new version should be controlled and old versions processed according to the business‘s specific policy for that. In other terms, versioning, also called version control, is the automatic recording of a change in any kind of file or a set of files that can be supported by a computer. There are different types of version control systems, and adopting one or the other depends only on strategic decision of a business:

  1. Local version control system: keeps versions in the same computer.
  2. Centralized version control system: keeps versions in a server and allows sharing those versions with other computers.
  3. Distributed version control system, which is different from the second by having, in addition to the central server, integrated servers in other computers that allow mirroring versions.

Baselining

Baselining is the configuration of the information system in a way that ensures its minimum security, including software and hardware, as well as any form of communication- and connectivity-related aspects. It should not only be developed, but also documented and updated regularly or when there is a major change, such as a new information system installation or upgrade, a hardware change, etc. Several measures should be taken into account, which vary according to the business needs and its used resources.

Communication

The change policy and procedure should be shared with all concerned personnel and should be available when needed.

Communication is an important aspect during the whole change process. For instance, if the human resources department wants to implement a new training virtual platform, it will communicate about it with the IT department in order to generate this change. Then the change request is formulated and reviewed with the change manager prior its submission, evaluation, and approval by the change review board, for instance. Any approved change should be first communicated to all the concerned personnel so that their feedback can be taken into account prior the implementation of that change. Approval of the personnel responsible is necessary, as well. After change implementation, a review is needed to improve or correct the process affected by the change and to ensure an effective security as well.

Conclusion

Change management is a complex process with different risk levels that depend on the type of change introduced. In order to successfully implement changes, a business should be prepared with the necessary documentation, process, and procedures, trained and qualified personnel, and an effective communication should be maintained during the whole process. Tracking and post-implementation review are necessary to improve the change or to correct errors.

References

Iso27k: model policy on change management and control

https://security.web.cern.ch/security/rules/en/baselines.shtml

VITA IT Configuration Management Policy v1.0

http://www.pearsonitcertification.com/articles/article.aspx?p=30287&seqNum=11

https://git-scm.com/book/en/v2/Getting-Started-About-Version-Control

https://www.linkedin.com/pulse/change-management-series-communication-jenny-shen-pmp-cissp-cisa

https://www.cherwell.com/products/it-service-management/itil-processes/essential-guide-to-itil-change-management

https://www.linkedin.com/pulse/roles-responsibilities-change-management-process-jenny?trk=mp-reader-card

http://www.itsmcommunity.org/downloads/Sample_Process_Guide_-_Change_Management.pdf

Be Safe

Section Guide

Ryan
Fahey

View more articles from Ryan

Earn your CISSP the first time with InfoSec Institute and pass your exam, GUARANTEED!

Section Guide

Ryan
Fahey

View more articles from Ryan