Categories Topics
Description
Change Control and Management

Overview
Change Management is the process to manage and control changes in the environment to ensure confidentiality, integrity and availability to sensitive systems and data. Change management process should ensure changes to systems or applications are carefully documented, reviewed and approved prior to implementing in the production environment.

Guidelines
Procedures should be in place to ensure changes to critical systems/devices and applications are carefully reviewed and approved by management or change management group or role. The role authorized to approve changes should also be separate from the individual requesting or implementing the change (to ensure segregation of duties). Process should also include process to review and detect unauthorized changes to production devices. Examples include, but not limited to: monitoring tools to check for integrity of critical files (e.g., system binaries, utilities and files) or manual review of changes compared to approved change tickets.

Securezoo recommends implementing a process to assist in the Change Management (CM) process using a ticket system. For example, a CM ticket system (e.g. web-based or client-based software application) can enable users to make change requests using a common request form. Forms should capture and record the description of the change, justification, risk, planned date and time of change, back-out plans, systems and applications affected, etc.

Requests should also be routed to an "approver" that will need to determine the risk and also ensure change does not impact other planned changes to maximize availability of the organization's systems. Integrity checking software should also be implemented on the most critical systems and devices that can check for unauthorized changes to systems. The integrity checking software should utilize an established secure standard or "baseline" (see "Configuration Management").  Detected deviations to the baseline should be compared to approved change tickets and backed out and investigated if change is unauthorized. Changes should also be evaluated for security policy violations.

Topic Category
Operations and Communications Management
 
News Articles
Nasdaq Stock Exchange Goes Dark After Tech Glitchwww.wired.com8/22/2013
CloudFlare security service goes down after router failurenews.cnet.com3/3/2013
O2 fixes mobile broadband number leakswww.zdnet.co.uk1/26/2011
Policies
Change Management and Control Policy