Organizational Policies – SY0-601 CompTIA Security+ : 5.3

Change is a challenging by-product of information technology. In this video, you’ll learn about the change control process and how asset management can assist with the security of user data and devices.

[MUSIC PLAYING] The one constant in it is that there’s always change. There will be software that needs to be upgraded, they’ll be firewall configurations that have to be changed, and they’ll be switch ports that need modification. If you’re working at home, you can unplug a device, you can change an operating system, reboot a machine and you’re back up and running. But if you’re in the enterprise, making one single change you can have a dramatic effect in the organization, and could completely bring everything to its knees. You want to be sure that if you’re planning to make a change that you’re doing it in the right way.

Unfortunately, not all organizations have the same perspective with change control. And they’ll make changes throughout the day and cause applications to fail and networks to break. With change management, you can figure very clear policies on how changes are to be made. You know exactly when those changes occur, you know how long it takes to perform that particular change, you understand the entire process for the installation, and if you run into a problem, you’re already have fallback procedures that you can use.

If your organization doesn’t have a corporate culture around change management, it’s very, very difficult to implement. But if you spend the time to put in these policies, you’ll find that you have a much better control over the uptime and availability of your systems.

The formal process for making these changes is called change control. By using change control, you can avoid unnecessary downtime confusion that may surround these changes and making mistakes during the change process. Change control manages this process from the very beginning of the change all the way through to the end.

For example, you have to understand what the scope of the change happens to be, are you changing the software on a single network switch or are you updating the operating systems on every device in the organization. You also have to understand what the risk might be associated with the change. Rolling a Microsoft patch to everyone’s workstation may cause these systems to have a problem when they reboot, and we need to understand what that particular risk might be.

Once we understand the scope and the risks, we can create a plan for performing this particular update. This may be a simple plan for updating a single configuration in a switch. Or it may be a detailed plan for performing a database upgrade. Once the plans in place, we can get the approval from the users to be able to make this particular change and then we can present all of these plans to a change control board. This is a Central Committee that understands all of the changes taking place, they will approve or deny the change. And they will put that change into the calendar.

Perhaps, one of the most important steps of this entire process is that you have a back plan. Even the best made plans can run into problems, so it’s always a good idea to have a set of steps that will revert all of these changes and take you back to the original configuration.

And once we make these changes we need to document everything so that we understand what the current state might be. This is a very detailed process and it’s obviously an important process for any organization. By having this change control process in place, you exactly when changes are going to occur, you understand what the scope of those changes might be, and you have a process for rolling back if you run into problems.

Another important organizational policy is the management of your devices. We need to understand where these devices are, we need to be able to track them as they move, and this is usually something that is done through an automated console. This not only allows us to understand where these assets might be, but if we run into a security problem, we know who is using that device, what they’re doing with this device, and where that device happens to be.

This asset management not only includes the hardware on these devices, but it also includes the applications and the data that’s on these devices. We need to be able to provide management of all of those components and be able to track and understand where every single bit of data might be.

In some cases, you’ll also need a way to track the use of applications. Some application licensing requires that you pay for a certain number of seats that are used for an application. Using Asset management can help you understand how much of that application is in use. And from a security perspective, it’s useful to understand what devices someone might be using, what version of software they’re running, and if any security patches need to be pushed out to that device.