- AAA Overview: Access Control, Authentication, and Accounting
- Security Administration—The Importance of a Security Policy
- Keeping Up with and Enforcing Security Policies
- Risk Assessment
- Why Data Classification Is Important
- The Importance of Change Management
- Performing Vulnerability Assessments
- Chapter Summary
- Apply Your Knowledge
The Importance of Change Management
Describe, recognize, or select good administrative maintenance and change-control issues and tools.
It's important to synchronize security policy and practices with current organizational realities. Inevitably, this means changing the policy and related practices and procedures to keep up with evolving needs, and to accommodate any newly developed requirements.
This is where an engineering discipline known as change management comes into play. In its purest form, change management defines a systematic way to introduce change into a complex system of any kind. Because of the number and level of detail involved in building a working collection of security policy documents for an organization, most experts believe that change management is absolutely necessary to help control how changes are introduced and handled when they are required.
Change management hinges on several kinds of activity, and on tracking the impact and activity involved in implementing changes to complex systems in an organized, formal way. Here's a typical set of steps involved in implementing a change within the general framework of change management:
As the need for change is discovered or recognized, a pending change request is filed. Such requests are reviewed and evaluated at regular intervals.
If the change request is approved during the review process, a change order is created. In addition to describing the change and its desired results, the change order may also specify staffing, budget, and schedule requirements.
When the change order schedule indicates that work to incorporate the requested change is to begin, a change job or work order is enacted. Normally, such changes apply to a copy of the system being changed and do not affect changes to production environments until later in this process. The implementation group must also document its changes, and file proposed changes to security policy documents at this time.
During the implementation process, module and unit tests, make sure the change as implemented meets the requirements of the change as specified. After the implementation team decides the change is complete, it is turned over to a test group for change testing as an external check.
If the external testing group agrees that the change meets the specifications, that the change has no adverse effects on overall system behavior or capability, and that the documentation changes properly reflect resulting security policy, change enactment is authorized. Only at this point are changes introduced into a production environment, so only at this point do real, visible changes occur.
Hopefully, it's clear that formal change management makes it easier to incorporate and accommodate changes to production environments (and not just for security matters, either). This approach is designed to keep change manageable, and to make sure it works properly before production rollout, and that such changes are properly documented. Although not all organizations follow such a formal methodology, it's essential that they make and manage changes carefully, and also that they keep written security policy documents synchronized with actual policies, practices, procedures, and implementations.