Security+ All-In-One Edition Chapter 18 – Change Management Brian E. Brzezicki Change Management Change Management Computer Software, Systems and Networks are complex growing systems. They constantly evolve and their ability to be understood and recreated as well as proven integrity issues are critical to an organizations health and security. Can anyone think of the system they run… what happens if the building burned down and you had to recreate a system. How would you do that if you had no change control and documentation? Change Management Whether regulated (ex. SOX) or not, organizations should always implement change management controls and follow best practices. Change management should occur throughout all product, systems, and networks lifecycles. This includes • Software development and revision control • Network and system configuration • Software and system patches Change Management Process 1. Request Change 2. Change Management Board approves Changes (who is that… next) 3. Change is documented 4. Change is tested 5. Change is implemented 6. Change is reported to management Change Control Board Who might be on the Change Control Board? • Project Managers • Network Administrators • Systems Administrators • Security Administrators • Operations Managers • Help Desk Managers • Others… as required Separation of Duties Separation of duties is important to change management to ensure no party can subvert or skip the change management procedures. Some best practices • Jobs of development, building, and installing software should be different people • Software developers should not be part of the QA/test team • Software developers should not have access to install the software on production machines • System admins should not have access to the source code Chapter 18 - Review Q. What is the purpose of change control? Q. Why is it important that a developer not have access to a production system and data? Q. Why is it important that an admin not have access an applications source code and compilers? Q. What is regression testing? . patches Change Management Process 1. Request Change 2. Change Management Board approves Changes (who is that… next) 3. Change is documented 4. Change is tested 5. Change is implemented 6. Change. Security+ All-In-One Edition Chapter 18 – Change Management Brian E. Brzezicki Change Management Change Management Computer Software, Systems and Networks are complex. change control and documentation? Change Management Whether regulated (ex. SOX) or not, organizations should always implement change management controls and follow best practices. Change management