Poor change control can send your organization's security tumbling. Follow these 5 steps for a strong change management program.
Mysterious activity shows up on key network devices at 2 a.m., setting off alarms in the network operations center. You're blocking Telnet and outside connections to the network, so this activity makes no sense. After 15 minutes of scrambling for answers, you find those connections weren't blocked at all. Earlier in the week someone made a change to grant network access to a vendor's technician, unintentionally creating a nightmare for you.
This simplistic example illustrates an important point: all too often, inadequate change control is the root cause of many headaches and sleepless nights for secu-rity managers. Keeping networks locked down is incredibly difficult because networks are in constant flux; patches must be applied, partners must be granted access and new services must be provisioned. One unmanaged change could send the neatly aligned and secured blocks of your network tumbling to the ground.
Change management can mean a number of things to security managers. To some, change management constitutes the processes in place to enact changes in the IT environment, such as new firewall rules or router access control list entries and system upgrades. This process includes approvals, testing and scheduling. Too frequently, though, IT security teams equate the concept of change management with configuration control and management, which includes activities like file integrity monitoring and system scanning. Although they are distinct concepts, both are vitally important to security, and the ties between change management and configuration management are getting stronger.
Security's challenge is to integrate itself into existing IT change management processes, while developing change and configuration management processes for systems and devices it controls. Organizations must include security to help evaluate requested and planned system changes and advise business management of associated risks. Getting a seat at the table is becoming easier because organizations understand the risks some IT changes could introduce.
However, the security team should act as a trusted adviser, not a dictator of whether changes are allowed or not, and demonstrate willingness to work with business owners and facilitate business initiatives.
Let's examine security's role in five key steps for a well-developed change management program.
| 
