Change Management – CompTIA Security+ SY0-401: 2.3

How do you make a change? In this video, you’ll learn about the challenges and importance of a good change management strategy.

<< Previous Video: Third-Party Security ComplianceNext: Incident Management >>

They say the only constant is change. That ironic phrase certainly applies to security, because there are things always changing with security. You’re having to make changes to firewall policies. You need to make changes to what you’re doing with switches. You’re adding new systems to the network. You’re removing older machines from the network. New computers are coming into your environment have to be plugged in. Older systems are being phased out. Software has to be upgraded. These things are happening all the time. And if you simply just start changing things without any type of planning, whatsoever, you could absolutely run into security issues relating to that. This is probably one of the most common risks in the enterprise, because it’s something that’s happening all the time.

In large organizations, even medium sized organizations, this is something that occurs every week. And the organizations that have set policies in place have a meeting every week. That’s your change control meeting. Everybody brings up the change in that meeting. Everybody knows what’s going to happen. And now you have a window between one o’clock in the morning and four o’clock in the morning on a Sunday morning where the change takes place. And now you can on Monday see what happens when that change is now in. If you don’t get your change mentioned in your change control meeting you don’t get it done that week, you have to wait to the following week. It’s a very common way to handle that. If you overlook this change management process you’re really opening the door for some serious, serious problems down the road. Because anybody can go in make a change to any system, it’s not being tracked, and eventually when a problem occurs it’s a problem that has occurred because you weren’t planning for that issue. You don’t have a rollback in place. You don’t have a way to manage that. And that’s what you have to have, are clear policies associated with change.

How often are changes made? What is the duration that you’re allowed to make changes? Is only going to be on that Sunday morning? What is the process to install that change in your environment? And perhaps more importantly, if it doesn’t work or causes a problem what is the process to roll out of that? How long is it going to take the roll back that particular change that you’ve made? Often the people that need the change are not the people implementing the change. So very often there are very documented processes you have to go through to make this happen.

In the end you want to have a way to allow changes in your environment, but not restrict your business from being able to perform its duties and its functions. It’s a balancing act you have to consider when you’re working in a type of security environment and setting up these policies. This can be in many times very, very difficult to implement. If it’s an organization that’s never had any type of policy, and suddenly you show up and say, we need to follow these very specific policies, rules, and procedures there maybe a bit of push back there. Why do we have to do that? We’ve never had a problem in the past. We have our own way of handling these things. Let’s not start creating more problems.

Corporate culture can be a very, very difficult thing to change. And of course, that all goes back to your policies and procedures that everybody gets to participate in, and that everybody signs off on. And that you now have the management behind you to say, no this change control process is a very important thing we must follow it, and anybody who doesn’t follow this can then deal with the repercussions of that afterwards. Whenever you’re dealing with any type of change, not just for change management or anything, it can be difficult. And your security policies, what you have your back pocket that, says, this is exactly what we’ve all agreed to, let’s follow this going down the road.