18: Change Management
cluding hiring qualified personnel, bonding contractors, and using training, monitoring, and evaluation practices, can reduce any organization s exposure to risk The establishment of such practices can ensure that enterprise assets are properly safeguarded and can also greatly reduce error and the potential for fraudulent or malicious activities Change management practices implement and enforce separation of duties by adding structure and management oversight to the software development and system operation processes Change management techniques can ensure that only correct and authorized changes, as approved by management or other authorities, are allowed to be made, following a defined process
Elements of Change Management
Change management has its roots in system engineering, where it is commonly referred to as configuration management Most of today s software and hardware change management practices derive from long-standing system engineering configuration management practices For example, automakers know that a certain amount of configuration management is necessary to build safe cars efficiently and effectively Bolts and screws with proper strengths and qualities are used on every car, in specific places employees don t just reach into a barrel of bolts, pull one out that looks about right, and bolt it on The same applies to aircraft for an aircraft to fly safely, it must be built of parts of the right size, shape, strength, and so on Computer hardware and software development have also evolved to the point that proper management structure and controls must exist to ensure the products operate as planned Change management and configuration management use different terms for their various phases, but they all fit into the four general phases defined under configuration management: Configuration identification Configuration control Configuration status accounting Configuration auditing Configuration identification is the process of identifying which assets need to be managed and controlled These assets could be software modules, test cases or scripts, table or parameter values, servers, major subsystems, or entire systems The idea is that, depending on the size and complexity of the system, an appropriate set of data and software (or other assets) must be identified and properly managed These identified assets are called configuration items or computer software configuration items Related to configuration identification, and the result of it, is the definition of a baseline A baseline serves as a foundation for comparison or measurement It provides the necessary visibility to control change For example, a software baseline defines the software system as it is built and running at a point in time As another example, network security best practices clearly state that any large organization should build its
CompTIA Security+ All-in-One Exam Guide
servers to a standard build configuration to enhance overall network security The servers are the configuration items, and the standard build is the server baseline Configuration control is the process of controlling changes to items that have been baselined Configuration control ensures that only approved changes to a baseline are allowed to be implemented It is easy to understand why a software system, such as a web-based order entry system, should not be changed without proper testing and control otherwise, the system might stop functioning at a critical time Configuration control is a key step that provides valuable insight to managers If a system is being changed, and configuration control is being observed, managers and others concerned will be better informed This ensures proper use of assets and avoids unnecessary downtime due to the installation of unapproved changes Configuration status accounting consists of the procedures for tracking and maintaining data relative to each configuration item in the baseline It is closely related to configuration control Status accounting involves gathering and maintaining information relative to each configuration item For example, it documents what changes have been requested; what changes have been made, when, and for what reason; who authorized the change; who performed the change; and what other configuration items or systems were affected by the change Returning to our example of servers being baselined, if the operating system of those servers is found to have a security flaw, then the baseline can be consulted to determine which servers are vulnerable to this particular security flaw Those systems with this weakness can be updated (and only those that need to be updated) Configuration control and configuration status accounting help ensure systems are more consistently managed and, ultimately in this case, the organization s network security is maintained It is easy to imagine the state of an organization that has not built all servers to a common baseline and has not properly controlled their systems configurations It would be very difficult to know the configuration of individual servers, and security could quickly become weak NOTE It is important that you understand that even though all servers may be initially configured to the same baseline, individual applications might require a system-specific configuration to run properly Change management actually facilitates system-specific configuration in that all exceptions from the standard configuration are documented All people involved in managing and operating these systems will have documentation to help them quickly understand why a particular system is configured in a unique way Configuration auditing is the process of verifying that the configuration items are built and maintained according to the requirements, standards, or contractual agreements It is similar to how audits in the financial world are used to ensure that generally accepted accounting principles and practices are adhered to and that financial statements properly reflect the financial status of the enterprise Configuration audits ensure that policies and procedures are being followed, that all configuration items (including hardware and software) are being properly maintained, and that existing documentation accurately reflects the status of the systems in operation
