Eric Vanderburg

Change management is a key information security component of maintaining high availability systems. Change management involves requesting, approving, validating, and logging changes to systems. This process can bring significant benefits to an organization. Namely, it can strengthen the decision making ability of an organization by training personnel to fully think on and evaluate changes before they are made and it provides a knowledge base of past changes and the lessons learned from situations.

Information security can be divided into three sections: confidentiality, integrity, and availability, often called the CIA triad. Availability is extremely important. After all, if the data is not available to authorized users when they need it, of what use is it? High availability is another term that describes a system that is accessible to users 24×7 with minimal scheduled downtime.

An often mentioned method for obtaining high availability include hardware redundancy such as active/passive firewalls, clustered servers, network load balancing, and round robin DNS. Redundancy is an excellent aspect that high availability networks must have. However, another important factor in achieving high availability is a change management policy.

Any change has the potential to create new vulnerabilities or reduce the availability of systems. Of course, the process of maintaining systems and managing business objectives requires change. Therefore, organizations must determine how to balance the need for change with the minimization of risk. The answer is through change management. This starts with a change management policy that then leads into a change management program whereby change management is implemented throughout the company.

Let’s first define change management and describe what a change management system looks like. Change management is the process whereby changes are requested, approved, validated, and logged to reduce the risk of a change compromising the availability of systems or creating new vulnerabilities. Validation also takes place after a change has been made. The system needs to be tested to determine if the change produced the desired result. Change management approvers should thoroughly consider the impact of changes and notify users and others about the change. It is advantageous to schedule the changes during standard downtimes to minimize the potential impact to system availability.

Moving along with the description laid out for us, the first element of change management is approval. Change management systems require changes to be requested in a system and then approved by an authorized individual such as a supervisor, manager, data owner, or by multiple persons. The process of requesting a change and approving a change validates the actions taken since multiple people consider the decision and actions before they are approved.

The last element is logging. Logging produces some ancillary benefits to change management. Change management logging is a positive step towards knowledge management and it can aid personnel in reversing any damaging changes that may occur.

Change management can assist in knowledge management objectives because the rational behind changes along with those who implemented them are stored in the system. If a similar event comes along, such as a server error or a new project, the system can be queried to determine a course of action and the persons involved can be contacted for further information or involvement in future projects or troubleshooting.

Change management also gives an organization the ability to reverse damaging changes because it keeps a log of the actions taken. Not all changes achieve the desired outcome. In such situations, it is imperative that the organization have a method of reversing the changes to bring the system back into a functioning state. Change management accomplishes this by enabling users to view the log of actions taken so that these actions can be undone.

So what kinds of actions should be managed in a change management system? The CISSP common body of knowledge asserts that change management systems should manage changes related to the entire life cycle of a system including design, development, testing, evaluation, implementation, distribution, and ongoing maintenance.

The next question is what changes in these categories should be logged? This important question that has to be determined on a case-by-case basis by organizational decision makers. The greatest amount of benefits from a change management system will be realized by tracking even minor changes but this is a determination you will have to make.

Lastly, consider implementing change management metrics and integrating them with other security metrics you track so that you can ensure change management goals are met.

Summary

Change management is a process that can greatly strengthen information assurance and provide a framework for high availability in information systems. The process involves requesting, approving, validating, and logging changes to systems. This process aids in knowledge management, incident response, security management, and governance.

For further reading

Top Ten Tips for ITIL Change Management 

How to Develop an IT Change Management Program

JURINNOV, a Cleveland based firm, offers information security consulting services to give you more confidence in your information systems. Contact us today and bring your security to the next level.