7.9 Understand and participate in change management processes

An organization uses Change Management to ensure that assets and configurations are maintained in a desired state.  For example, an organization might have a firewall with a specific configuration.  An administrator should not be able to just log in and change the configuration whenever he feels like it.  With change management the administrator might follow the following process

  • Request approval for the change to the configuration

  • Explain why the change is necessary – what is the business justification?

  • Explain how the change will be made and what impact it will have

  • Senior management or a committee will approve or deny the change

  • The change is then implemented

  • The change is documented – the organization is now aware of the firewall’s new configuration

  • If there is an error with the change, it can be rolled back (there must always be a plan to reverse the change)

In order for us to use change management effectively, we must have an inventory of every item and its configuration.  Everything must be documented.

Best practices for changes include

  • Changes are controlled by management or by a committee.  This committee might be called the Change Advisory Board, or CAB.  They cannot be made by individual users.

  • A change must be tested to ensure that it works according to plan.

  • We must be able to revert to the original configuration.  We must have a plan to revert to the original configuration.

  • We should inform users of the change prior to implementing it, so that they are aware of the potential for downtime or data loss and can plan accordingly.  The amount of notice required depends on the amount of downtime and the number of people that it will affect.

  • We should implement the change in a way that reduces its impact on the organization.  That could mean implementing it after hours when users do not require access to the organization’s resources.

There are three types of changes

  • Standard change.  A standard change is preapproved due to its low risk.  We might create a list of standard changes or a description of standard changes.  When we implement a standard change, we still must fill out the justification for the change, but it is automatically approved.

  • Normal change.  A normal change follows the normal change process.
  • Emergency change.  An emergency change is one that must be implemented quickly due to the risk.  For example, we have discovered a zero-day vulnerability and we must patch it quickly.

    We bypass the normal procedure, implement the change, and perform the change management process retroactively.