Change Management - CompTIA Security+ SY0-701 - 1.3

00:01

When you're making a change to an application or an operating

00:04

system that you use at home, the scope of that change

00:07

is usually based on a single computer.

00:10

But in a corporate environment or a large organization,

00:13

one single change could affect hundreds or even

00:16

thousands of different systems.

00:18

If you're upgrading software or modifying an application

00:21

or making a change to a router or a firewall,

00:24

you'll need to go through a formal process

00:26

to make sure that that change is going to work properly.

00:30

These types of changes occur constantly.

00:33

We know that Microsoft has updates for their operating

00:35

systems every month.

00:37

And you might have hundreds or even thousands of applications

00:40

that you use.

00:40

And those might have constant updates to those as well.

00:44

This is something that is incredibly important

00:46

to stay on top of because a system that is not updated

00:49

is one that is probably less secure.

00:52

This is why it's important to have

00:54

a formal process for making changes in your environment.

00:57

If suddenly everyone was able to make any change they'd

01:00

like whenever they would like, you

01:02

could run into problems with applications working properly

01:05

or inconsistencies in the way that applications

01:08

are able to use the operating system.

01:10

These processes may dictate how often

01:13

you're able to make changes, the type of changes that

01:16

can be made, and might even cover things like rollback

01:18

procedures just in case you run into a problem

01:21

when that change is updated.

01:23

Many organizations already have a change control process.

01:26

And this makes it very easy to implement and control

01:29

any type of change to your environment.

01:31

But if your organization doesn't have a formal change control

01:35

process, you may find it very difficult

01:37

to implement or make changes to this corporate culture.

01:41

We have these formal change control

01:43

processes so that we can maintain

01:45

the uptime and availability of our systems.

01:48

We know that everyone is informed.

01:50

So there's no confusion about the changes being made.

01:53

And we want to be sure that no mistakes are made when people

01:56

make changes to these systems.

01:58

Here's a summary of a typical change control process.

02:01

This might be a little bit different in your environment.

02:03

But it tends to follow a similar path regardless

02:06

of where you might be.

02:07

The first part of the process is to fill out a formal change

02:11

control process form.

02:12

This is something that everyone has

02:14

to do so that all of the standard information

02:16

is provided to the central committee that

02:19

makes these decisions.

02:20

You would document in this form the reason

02:22

that you're making this change so that everybody understands

02:25

why this change is occurring.

02:27

You would then identify the scope of that change.

02:30

It might be a single system or a number of different systems.

02:33

And whoever's making the decision

02:35

to either allow or disallow this change

02:38

needs to understand what this scope would really be.

02:41

There would be a scheduling process

02:43

so we would know exactly when the date and time

02:46

for this change would be.

02:47

And then we would know what systems

02:49

would be affected by this change and the impact of that change.

02:53

To be able to make a decision on whether this change should

02:56

occur or not occur, the change control board

02:59

generally needs to analyze the risk associated

03:01

with the change.

03:02

For example, this might be a significant change.

03:05

And it might be at a time of the year

03:07

when the company is very busy.

03:09

So the change control committee would

03:10

need to balance the risk of not making

03:12

the change versus implementing the change

03:15

and having a problem.

03:16

At this point, the change control board

03:18

should have all of the information

03:19

they need to make a decision on whether the change is allowed

03:22

or not allowed.

03:23

And once the change is made, you may

03:25

want to have users try their systems

03:27

and confirm that the change was updated

03:29

without any type of problems.

03:32

The change control process usually

03:34

starts with the owner of the application

03:36

or the data wanting to make a change

03:39

to that application or data.

03:41

The owner of the application or the data

03:43

don't generally control the change control process.

03:46

And they're not usually the ones making the actual change

03:49

to that application or to that data.

03:51

Instead, the owners are the ones managing the process.

03:55

The owner is kept informed as the change control

03:58

process occurs.

03:59

And once the change is complete, the owner

04:01

is responsible for testing their systems

04:03

and verifying that everything is working properly.

04:07

For example, your organization may have a department

04:09

for shipping and receiving.

04:11

And there may be information that they've

04:12

received that says their address label

04:14

printers need to be upgraded.

04:16

In this example, the shipping and receiving department

04:19

is the owner of this process.

04:21

And they're going to hand that off to their IT team

04:23

to handle the actual change to the printing software.

04:27

Another consideration for the change control process

04:30

are the stakeholders.

04:32

These are the individuals or departments

04:34

that will be impacted by the change that you're proposing.

04:37

They will probably want to have input on the process

04:39

and have some type of control over when

04:42

this particular change occurs.

04:44

Identifying the stakeholders may not be as obvious

04:46

as you might think.

04:47

There are some changes that can affect a large number of people

04:51

within the organization, or perhaps the change

04:53

is only affecting one single individual.

04:56

The IT team may need to research and identify

04:59

any of the stakeholders who might

05:01

be affected by this change.

05:03

Let's take our previous example of upgrading software that's

05:06

being used for shipping labels.

05:08

And you might think that this would only affect the shipping

05:11

and receiving department.

05:12

But of course, the shipping labels

05:14

are also used by accounting to create reports

05:17

of what has been shipped.

05:18

There might be product delivery frames affected by this change,

05:22

especially if you're shipping directly to your customers.

05:25

This would, in turn, also affect revenue recognition

05:28

because it would affect how quickly you're

05:30

able to get product into the hands of your customers.

05:33

And this would certainly have the visibility of the CEO.

05:36

This is a good example of how something

05:38

that appears to be a very simple change to some printing

05:41

software could ultimately have a dramatic effect

05:45

to the bottom line of the company.

05:47

Every change has a different potential impact

05:51

on the organization.

05:52

So you need to recognize what risks may be involved when

05:55

making any particular change.

05:57

This might be a risk value that you assign

06:00

a high, medium, or low risk.

06:02

But these risks could also be very far-reaching.

06:05

There may be a case where you install a fix,

06:08

but it doesn't actually fix anything.

06:10

That certainly has a particular risk associated with it,

06:13

or maybe you install the fix and you end up

06:16

breaking something else.

06:18

This is not entirely unheard of when patching systems.

06:21

There might be a failure of an operating system

06:24

just because you installed this particular update

06:26

or there might be corruption of data, which

06:28

means you would need backups.

06:30

And all of these would certainly have different levels of risk.

06:33

You also have to consider what risks might be involved

06:37

if you don't make the change.

06:39

For example, there might be a security vulnerability

06:41

and if you don't patch this application,

06:43

that vulnerability will be available to any attacker that

06:47

may be coming across our network.

06:49

This may cause an application to be unavailable

06:51

if you don't patch the application

06:54

or you might have other services that are no longer operating

06:57

because you didn't make a change to a secondary service.

07:01

Given these risks, you may decide

07:04

that you want to do a lot of testing

07:06

before implementing this change into a production environment.

07:09

And for that, we may use something

07:11

like a sandbox testing environment, where

07:13

you can perform as many tests as you'd

07:15

like and have no effect on your production systems.

07:19

This is effectively a technological safe space

07:21

where you can make mistakes, you can try different techniques,

07:25

and then you can perform extensive testing

07:27

after the fact to confirm that the update really did work

07:30

properly.

07:31

Inside of the sandbox, we can load a duplicate environment

07:35

to our production systems.

07:37

And then we can try the upgrade, apply a patch, make the change,

07:41

and see what effect that has to a system that

07:44

is identical to what your users are using in production.

07:47

This is also a good time to test your contingency plan.

07:51

You can implement the change.

07:52

And even if the change was operational in your test

07:55

environment, you may want to test your backout procedures

07:58

just to make sure that if something does go wrong

08:01

in production, you have a documented series of steps that

08:04

brings everything back to the way it

08:06

was before you made the change.

08:09

There are many documented cases through the years

08:11

where someone thought that a change was very minor,

08:14

they make that change into an environment

08:16

without even thinking that they would

08:18

need to be able to revert back to a previous config,

08:21

and that change ends up bringing down their entire network.

08:25

This is why you need a backout plan.

08:27

You should have a way to revert back

08:29

to the original configuration or something that

08:32

would be very similar to what you

08:34

started with before the change took place.

08:37

In some cases, this is a very simple process.

08:39

You simply uninstall the patch that you

08:41

installed and confirm that the original files are back

08:44

in place.

08:45

But some changes are very difficult to revert.

08:48

So you may need to have different techniques and ideas

08:51

about how you can bring those systems back

08:53

to their original form if something does go wrong.

08:57

This is why we often say that before you

08:59

make any change to a system--

09:00

that you have a full and complete backup of that system.

09:04

That way, if you do make the change and run into a problem

09:07

and then you try your backout plan and have a problem,

09:11

you can always go back to your backup.

09:14

You may find that the process for approval of the change

09:17

is the easy part.

09:19

The difficult part is finding time to implement the change.

09:23

This is something that has to be planned and considered

09:26

before making any significant change to production.

09:29

For example, you may not want to make change

09:31

during the workday, when everybody is on their systems

09:34

and performing their work.

09:36

Instead, you may want to have off hours or maintenance hours

09:40

where you can make changes without having

09:42

significant impact to users.

09:44

This is why you often see the IT folks coming in

09:47

on weekends and holidays and very early in the morning

09:51

just so they can make change without any type of disruption

09:54

to the network.

09:55

This can be especially challenging

09:57

if you work in an environment that is 24 hours a day

09:59

and seven days a week, where you have

10:01

very little time available to make

10:04

any changes in those systems.

10:06

You might also need to consider what time of the year

10:09

you're making these changes.

10:11

Take, for example, a company that is very retail-based

10:14

and their busiest times of the year are between Thanksgiving

10:17

and New Year's.

10:18

In those environments, it's not uncommon for all

10:21

of their systems to be completely

10:23

frozen during that time frame.

10:25

And no changes would be allowed whatsoever.

10:28

Only after the new year are you now

10:30

able to reintroduce some type of change control

10:33

and begin the process of updating your systems.

10:37

Hopefully, you can see now that change management

10:39

is a critical part of your policies and procedures

10:42

for security.

10:43

And it affects every single person in your organization.

10:47

In almost every environment, this change control process

10:49

is well documented, and anyone in the company

10:52

can read through the documentation

10:54

on their intranet.

10:55

This should be part of your standard operating procedures.

10:58

And no one should be able to make changes on your network

11:00

without receiving this approval.

11:02

And of course, your change control process

11:05

is going to be updated over time to make it more efficient

11:08

and fit the best with the requirements of the company.