Change detection is easy. What is not so easy, is reconciling change. Change reconciliation is where most organizations stumble. What was the change? When was it made? Who made it? Was it authorized? The ability to answer these questions are the elements that comprise change management.
Historically, the haste of accomplishing a task consisted of a sysadmin moving full-speed ahead to satisfy the needs of the business. However impressive these feats of administration were, they did not always result in the best solutions. When things worked out, the sysadmin was the hero. When the actions created a “perfect storm” of cascading problems, it was often difficult to unwind the damage.
In many organizations, processes now exist for managing change in an optimized fashion. This has been propelled by many standards and regulatory actions that demand it. PCI DSS, and NERC/CIP are just two examples of standards that direct organizations to enact better change management controls. This is done in an effort to not only better detect change, but to fully account for the changes. Some of the advancement in technology have made this somewhat of a challenge. For example, DevOps and the containerization of apps enables developers to create and push changes immediately into a production environment. This is good for an impatient business, but bad for evidentiary proof of not only what went wrong, but how it was corrected.
It would seem that the potential for publishing misconfigured or vulnerable apps has increased exponentially, with much of it being automated using DevOps tools. This all begs for an effective change management program; a process through which changes are made in a safe manner with the ability to effectively back out of them when things go wrong.
There are some characteristics of organizations who have developed an effective change management system that are worth noting:
1. Tone at the top
Both management and the C-Suite have to agree and adhere to the idea that all changes to a system must be diligently managed. This serves as positive functions for both disaster recovery and audit purposes.
2. Deliberate practice
Change management offers the ability to exercise deliberate and thoughtful actions. This also aids in careful consideration before committing to changes, making success more probable.
3. Critical asset classification
Asset classification is as important to change management as data classification is to data loss protection. Any change made on a critical asset has an impact on the business. It is important to understand the effect on a “big picture” level, and a good change management program can assist in that effort.
4. Process is king
A well-documented process can enhance the entire change management operation. This dovetails with asset classification, as it clarifies the technical, as well as the administrative hierarchies of the environment. Knowing who can enact a change, and on what system is a process that gives ownership to the change management process.
A change management program should follow the path of sound Capability Maturity Model Integration (CMMI). This means that any method that is put in place, whether manual, or automated, should be done so with the aim of achieving the highest CMMI level possible, from Initial, Repeatable, Defined, Managed, all the way to Optimized.
Some ways to meet this goal is through following a systematic approach, including:
- An easily understood series of steps. This can prevent errors by making sure that changes are not made without following specific planning protocols.
- Identification of all key stakeholders. This follows along with the technical planning. Every business unit that may be impacted by the change must be included in the notification process prior to deploying a change to a system that will impact that department.
- Change detection mechanisms. This will alert the proper team if an unauthorized change is made.
- An effective, easily accessible system of record with accurate reporting capabilities. This is vital to knowing what was changed, and when, and the justification for doing so.
To find out more about how Tripwire can help you accomplish your change management goals, look here.
Meet Fortra™ Your Cybersecurity Ally™
Fortra is creating a simpler, stronger, and more straightforward future for cybersecurity by offering a portfolio of integrated and scalable solutions. Learn more about how Fortra’s portfolio of solutions can benefit your business.
