- Defining Security Principles
- Security Management Planning
- Risk Management and Analysis
- Policies, Standards, Guidelines, and Procedures
- Examining Roles and Responsibility
- Management Responsibility
- Understanding Protection Mechanisms
- Classifying Data
- Employment Policies and Practices
- Managing Change Control
- Security Awareness Training
Managing Change Control
Use change control to maintain security.
The security impact of change control and configuration management is to know the present configuration of the system and it components. By knowing what is supposed to be in the system and network, administrators can identify whether security has been violated and rogue programs have been installed on the system.
Change Control, Configuration Management, and Revision Control
These are all similar phrases that describe the maintenance and tracking of changes to hardware and software.
One of the key security aspects of revision control and configuration management is the capability to track changes. If problems occur, administrators can examine the system in the context of the software and other installed components to see what might have caused the problem. The first step in creating these traces is to have a policy that mandates a formal change control procedure for all hardware and software systems. This policy should provide for written requests to perform system changes that can include a review for security. Using the policy as the base, the standards and procedures can be written to support the processes that log every change to any information component.
Hardware Change Control
Ideally, every time new hardware and configurations are added to the network, an entry is made to a change control system to track what has occurred. Considering that this is rarely the case, the best way to start this process is to use the risk analysis to determine the hardware inventory. With the hardware inventory, an effort should be made to place the configurations under change management control. Many organizations use the same procedures as software change management to track the changes of the configuration of the various systems. They realize that it is critical to maintain the configuration of firewalls, switches, and intrusion detection systems to ensure that someone does not change them to cover up her bad intentions.
Hardware change control does not just keeping track of system and network components. Documentation should also be kept up-to-date on the network configuration, including information on where the network and telephone cables are located. Undocumented network segments might not be protected or can be used to support insider hacking capabilities. Additionally, you might want to document the various telecommunication access points into the network. Unknown and unprotected modems can be used by anyone with access to a telephone to gain access using the software on the user's desktop, which might not be properly configured to protect the network.
Software Change Control
Software change control can have a few components. The most common topic of change control is what is used to track software development. In this case, the change management system can be used to re-create software to a certain revision to roll back from changes that might have caused security concerns or bugs.
Importance of Change Control
Change control on software systems can prevent unauthorized changes to those products. Untested patches can introduce bugs and other vulnerabilities that can be exploited.
Change control can be used to track vendor software changes. It can be considered inevitable that installed software will have bugs. Some of these bugs can be an inconvenience in operations, whereas others have security implications. It has been a source of debate among security and systems administration professionals as to how to handle fixing the software that has security problems. On one hand there is the need to fix the problem immediately to prevent problems. However, installing patches, even from a vendor, can lead to unpredicted results.
Large organizations have the capability to create test systems to test these changes before installing them into the production environment. Smaller organizations, though, might not have this luxury and might have to patch production systems. Whatever the size of your organization, having policies and procedures in place to track these changes will help you maintain the configuration of your software systems.