Technical Change Management - CompTIA Security+ SY0-701 - 1.3

00:01

In our previous video, we talked about the change management

00:04

process.

00:05

But of course, eventually, the actual change

00:08

will need to be implemented into your environment.

00:10

And that usually relies on the technical staff

00:13

to be able to make these changes.

00:15

When you're making changes to one or two devices at home,

00:17

it's a relatively straightforward process.

00:20

But when you're working in an environment with tens,

00:22

hundreds, or even thousands of devices,

00:25

what would be a very simple update for a single device

00:28

can turn into a very complex process.

00:31

So in this video, let's talk about the change control

00:33

process from the perspective of the technician.

00:36

The change control process itself

00:38

is one that is concerned with what needs to change.

00:41

But of course, the technician is the one

00:43

who will be actually performing these changes.

00:46

For example, a technician may be asked

00:49

to make a change to an allow list or a deny list.

00:52

These are lists that are commonly

00:54

used to allow or prevent certain applications from working

00:57

in your environment.

00:58

This is because certain applications

01:00

can be considered dangerous.

01:01

These applications might have known vulnerabilities

01:04

or perhaps they're well-known applications

01:07

for carrying malware and infecting other systems.

01:10

It would make sense, then, for a technician

01:12

to add those malicious applications to a deny list

01:15

or perhaps include only the applications that they'd

01:19

like to run to an allow list.

01:21

If you're managing an allow list,

01:23

this means that only the applications you've named

01:26

will be able to run on people's workstations.

01:29

Everything is restricted except the things

01:31

that you add to the allow list.

01:34

A deny list is a little bit more flexible,

01:36

in that you could run any application you'd like,

01:39

except for the applications that have been specifically named

01:43

on the deny list.

01:44

For example, it's common to think

01:45

of antivirus and anti-malware as being a very large deny list.

01:50

Everything can run on your system

01:52

except specific types of code that are

01:54

identified by the anti-malware.

01:57

When a change is submitted to a change control board,

02:00

there's a very specific documented scope

02:03

for making this change.

02:04

And as part of this change control,

02:06

you're limited to only making changes

02:09

to what is specifically listed in the change control document.

02:12

For example, a change control board

02:14

may schedule a two-hour window for you

02:16

to be able to upgrade a series of printer drivers.

02:19

But that doesn't mean, during that same two-hour period,

02:22

that you can make other changes to other applications

02:25

just because the window happens to be available.

02:28

However, this doesn't mean that you're

02:29

limited to only what is listed in the change control

02:32

documents.

02:33

There may be times where you have to make additional updates

02:36

or expand the scope to be able to complete the primary goal

02:40

of that particular change.

02:42

For example, you may find that the process of upgrading

02:45

those printer drivers requires a modification to a configuration

02:48

file on everyone's system.

02:50

And although that wasn't specifically written

02:53

as part of the scope of this change,

02:55

this change can only take place if you make that modification.

02:59

And if this is a relatively simple modification,

03:01

there may be policies in place that

03:03

allow you to make the decision to modify that

03:06

file so that you can complete the overall change control

03:09

process.

03:10

This is why it's important to have a well-documented change

03:13

control process so that everyone understands the procedures that

03:17

should occur if you need to change the scope of the change

03:20

control.

03:21

When most people hear the term change control,

03:24

they automatically think about downtime.

03:26

And although this doesn't necessarily

03:29

mean that there will be downtime during the change,

03:31

we very often set aside a certain range to tell people

03:35

that there might be some unavailability

03:37

during this particular window.

03:39

This is one of the reasons as an IT professional

03:42

we tend to make these changes during non-production hours.

03:45

So the overnight hours or times when people are not

03:48

working on a particular application

03:50

would be a perfect time to make any type of significant change

03:54

to the application.

03:55

If you work for an organization that is up and running 24/7,

03:59

then you may find it very difficult

04:01

to find a change control window where downtime is tolerated.

04:04

In those environments, it's probably

04:06

more common to have a system where

04:08

you could switch to a secondary system,

04:10

update the primary system, and then switch over seamlessly

04:14

to prevent any type of downtime.

04:16

This move between a primary and secondary system

04:20

is probably one that's relatively automated

04:22

so that it can make that change as quickly as possible.

04:25

This also allows you to monitor the change.

04:28

And if you notice that there are problems,

04:30

you can switch back to the secondary system,

04:32

which at this point, you haven't made any changes to.

04:35

This makes it very easy to fall back

04:37

to a previous configuration by simply pointing

04:40

all of your users to either the primary

04:42

or the secondary system.

04:43

And of course, if there could be downtime,

04:46

you need to be sure that everyone

04:47

is aware of any potential outages that

04:50

may occur during that window.

04:51

It's common to send out emails informing everyone

04:54

of this particular downtime.

04:56

Or you could have a centralized change control calendar

04:58

where people can proactively view

05:00

what may be happening at any particular time of the day.

05:04

If you've been part of implementing

05:06

one of these change controls, one

05:07

of the things that you probably had

05:09

to do just before bringing everything back online

05:12

is to reboot the system.

05:14

This may be required by the change.

05:16

You may have a new configuration that will only be implemented

05:19

if you restart the system.

05:20

This may require rebooting the operating system itself

05:23

or, if you're in front of the physical device,

05:25

you may be able to physically power it down and power it

05:28

back on again.

05:28

Or this may only require you stopping and restarting

05:32

a service that's running in that operating system.

05:34

This also helps you understand if this system is going

05:37

to be able to recover properly if there

05:39

happens to be a power outage.

05:41

But if you're rebooting the system as part of your change

05:44

control, you'll know exactly how that system will react if it

05:47

happens to need a power cycle.

05:49

If the documentation says that we only

05:52

need to stop and restart a service,

05:54

this can usually be done relatively quickly.

05:56

We can do this from the Windows Services; from Task Manager

06:00

inside of Windows; or if it's Linux,

06:02

we may be able to restart a daemon that's already

06:04

running in the background.

06:06

And if we're updating an executable that's on a system,

06:08

we may require our users to log out of that application,

06:12

completely close down and exit the app,

06:14

and then restart it with the updated application.

06:18

One challenging aspect of this change control process

06:21

is when you're making a change that could affect a legacy

06:24

application.

06:25

Legacy applications have usually been

06:27

running for a very long time, and there are no current plans

06:30

to change out this particular app.

06:32

To add additional complexity, it's

06:34

very common for these legacy applications

06:36

to no longer be supported by the developer-- assuming,

06:40

of course, that the developer is even still in business.

06:43

These are usually the systems with a sign that

06:45

says, don't make any changes to this system

06:48

because no one in the organization

06:50

understands the application or how to support

06:52

any aspect of this system.

06:55

However, you may find that this application is not as complex

06:58

as you may have first thought, and by documenting

07:00

the application and how it's installed onto the system,

07:03

you can bring it into the normal support

07:05

cycle for your organization.

07:07

This doesn't necessarily mean that the support for this app

07:10

becomes seamless because there may be some idiosyncrasies that

07:14

are specific to this older application running on an older

07:17

operating system.

07:18

You'll find that after documenting these systems

07:21

and understanding how they work just a little bit better,

07:23

you'll become the expert in this system

07:25

and everyone in your organization

07:27

will be able to now support that system a little bit better.

07:31

If you've ever had to manage a large scale operating

07:33

system that is providing services

07:35

for hundreds or thousands of people,

07:37

then you know that making a simple upgrade

07:39

can sometimes be complicated because of dependencies.

07:43

With dependencies, you have to first make a change

07:46

to one application or service before you're

07:49

able to install or update another application or service.

07:53

Or it may be that the service that you've installed

07:56

won't work until a secondary service is also

07:59

installed on that system.

08:01

This certainly complicates the change control process.

08:04

We thought we were updating and changing one application,

08:07

and now we have to update a number of different services

08:10

just to provide the original update.

08:13

And in some cases, the dependencies

08:15

may not even be on the same system.

08:17

For example, to be able to install

08:19

a new version of your firewall management software,

08:22

it may also require your firewalls

08:24

to be running at a new version of code.

08:26

So you would first have to update all of your firewalls,

08:29

and then you would need to update the firewall management

08:32

software.

08:34

With change control, it's certainly true

08:36

that the only constant is change.

08:38

You might have change control processes

08:40

occurring in your data center every week

08:42

or perhaps even every day.

08:44

And every change has something that has now been

08:47

modified to what it was before.

08:49

This means that any documentation you have

08:52

of your environment could very quickly be out of date

08:55

without some type of ongoing documentation process.

08:58

That's why we commonly see documentation being required

09:02

with the change management process

09:04

itself so that you are always creating the most updated

09:07

set of documentation for your network.

09:10

This might include updating diagrams or charts that

09:13

have a network configuration.

09:15

You might have to modify IP addresses

09:17

or different configurations or you

09:19

may have to list a new series of processes or procedures

09:22

for managing a brand-new application that

09:25

has been upgraded in your production network.

09:28

And if you're dealing with change control,

09:30

then you're probably also dealing

09:31

with different versions of code, software, or configurations

09:35

that need to be applied to these systems.

09:38

In these situations, it's very useful

09:40

to have some way to keep track of all

09:42

of these different versions that have been installed.

09:45

And this also might give you a way

09:46

to revert to a previous version if you run into problems.

09:50

Many times, we provide this functionality

09:52

through version control.

09:53

This allows us to keep detailed documentation on things

09:57

like changes to router configurations,

09:59

patches inside of the Windows operating system,

10:02

changes to registries when you're updating an application,

10:05

and anything else where you can track what happens

10:08

between point A and point B.

10:11

You may find that the applications or operating

10:13

systems that you're using already

10:15

have some type of version control built in,

10:17

and there might be a very easy way within that application

10:20

or operating system to click a button, make a change,

10:24

and suddenly you're running a different version.

10:26

If your application or operating system

10:28

doesn't integrate any type of version control,

10:31

you might want to install a third party version control

10:34

management system so that you can manage all of your systems

10:37

and know exactly when changes are made

10:40

and what those changes are doing.