Change Management

Video Activity

Join over 3 million cybersecurity professionals advancing their career

Required fields are marked with an *

View all SSO options

Already have an account? Sign In »

Information Systems Security Engineering Professional (ISSEP)

Course

Difficulty

Intermediate

Video Transcription

00:00

>> Welcome back to Cybrary,

00:00

yes of course, I'm your instructor, Brad Rhodes.

00:00

Let's jump into change management.

00:00

Throughout the course of our time together,

00:00

we have spent a lot of

00:00

time talking about change management.

00:00

We've mentioned it,

00:00

I don't know how many lessons and modules,

00:00

but you might get the feeling that it's

00:00

important for [inaudible], it is.

00:00

In this video we're going to talk about

00:00

change management basics and

00:00

the change management process.

00:00

Change management basics, there's

00:00

four things I want you to remember,

00:00

one, change management

00:00

are the activities focused on things that change.

00:00

When we think about security controls,

00:00

systems and stuff like that,

00:00

those are technical controls,

00:00

those are non-technical controls

00:00

those are detective, those are prevented.

00:00

All of those controls can change, all of the things,

00:00

anything in your system and

00:00

the complex environments that

00:00

>> you operate in can change.

00:00

>> By making a change,

00:00

you can actually create

00:00

a vulnerability and be the cause of a breach,

00:00

and so change management is incredibly

00:00

important and it's a very focused activity set.

00:00

The next thing we're going to talk about is

00:00

configuration items.

00:00

That's where we determine

00:00

what the heck it is we're going to control.

00:00

What do we manage? What are we looking

00:00

at from a configuration process?

00:00

That could be hardware, routers, switches,

00:00

that could be software, it could be

00:00

what Linux server version you're running.

00:00

It could be firmware.

00:00

Think Wi-Fi access points,

00:00

they have firmware that needs to be updated.

00:00

Well, maybe we configuration

00:00

control that because we have say,

00:00

specific users on specific devices that if you

00:00

upgrade the firmware without

00:00

telling them they have problems.

00:00

Documentation, we've talked

00:00

about those nontechnical things,

00:00

those can be configuration items.

00:00

Anything that could potentially be changed in

00:00

the change management process that

00:00

could potentially have impact to systems,

00:00

system of interests, controls,

00:00

whatever, can be a configuration item.

00:00

The next thing is a baseline configuration.

00:00

That's the starting point.

00:00

You've probably heard of system baselines

00:00

when you're thinking about security,

00:00

so it's akin to that,

00:00

that's a good analogy to draw.

00:00

When we're thinking about security controls or

00:00

security systems or information security in general,

00:00

when we do a baseline configuration,

00:00

we are agreeing as to what that is, that's the baseline.

00:00

You can create a baseline all you want.

00:00

But if nobody agrees with you

00:00

that that's the baseline for

00:00

that particular say control, it doesn't matter.

00:00

You've got to do a baseline.

00:00

Then of course the last piece in

00:00

change management basics is the board.

00:00

This is a group of qualified people.

00:00

Let me caveat that.

00:00

Qualified people means many things

00:00

when it comes to change control boards.

00:00

You may be invited as an SE to sit on

00:00

a change control board with a bunch of

00:00

management people that if you said something technical,

00:00

they would have no idea what you said, and that's okay.

00:00

But ultimately change control boards are in many cases

00:00

made up of stakeholders who have

00:00

some input and have

00:00

some knowledge of and maybe have

00:00

a steak or a need to be on the board.

00:00

That's what happens there.

00:00

In many organizations, you're

00:00

going to have people on your change or

00:00

configuration control board that

00:00

aren't technical and that's okay.

00:00

But they have an interest in what changes you make

00:00

because it might break things for

00:00

customers that they have to deal with.

00:00

Very important that you

00:00

know what that group of folks is going to do,

00:00

they're the ones that approve the changes.

00:00

Depending on how you do it, it might have to be

00:00

a unanimous approval or it might be a majority approval.

00:00

It's going to be organizationally dependent,

00:00

but those are the four parts of change management.

00:00

When we think about the change management process,

00:00

it's very important, there's

00:00

four steps here. We start with the plan.

00:00

Obviously, if you don't start with the plan,

00:00

you don't know what you're doing, so have a plan.

00:00

The next thing is those baselines

00:00

we talked about previously.

00:00

You have to decide what are the baselines

00:00

that you're going to work the change is offer.

00:00

If you don't have a baseline

00:00

and it's continually moving target,

00:00

there is absolutely no way

00:00

that you can do change management.

00:00

It is impossible, so you have to have a baseline.

00:00

The next part is the change control.

00:00

Change control is the board.

00:00

Change control is the list of configuration items.

00:00

Change control is the general change management basics

00:00

and process that we're talking about right now.

00:00

It's the act of doing the change control,

00:00

that's what change control is.

00:00

Then of course, the last thing in

00:00

a change management process should not

00:00

surprise you at all because we've

00:00

talked about this previously,

00:00

and common continuous monitoring is the monitoring piece.

00:00

You have to monitor your systems.

00:00

You actually have to have monthly, weekly,

00:00

whatever it is, depends on complexity

00:00

and needs of your organization.

00:00

You've got to have meetings about this,

00:00

you have to go and ask,

00:00

are there any changes that need to be made?

00:00

You need to have a process by which people

00:00

submit changes as part of the plan

00:00

and part of that change control so that they can be

00:00

adjudicated appropriately by the change control board

00:00

and ultimately monitored,

00:00

and by the way, impacts assess if a change is

00:00

going to be significant to the organization.

00:00

This change management processes is cyclical

00:00

and you've got to do

00:00

that monitoring piece because just like risk management,

00:00

just like everything else, if you're

00:00

not doing continuous monitoring here,

00:00

you are going to expose yourself

00:00

to vulnerabilities and a potential breach.

00:00

What did we cover in this lesson?

00:00

We looked at change management

00:00

basics and highlighted the need

00:00

for identifying configuration control items

00:00

and having a baseline.

00:00

Then we talked about the change management process,

00:00

which in my opinion is the most important.

00:00

Part of that is the monitoring, if we don't monitor,

00:00

we're going to miss something. We'll see you next time.

Up Next

Disposal Strategies

Decommissioning and Disposal Processes

Module Summary

Objectives and Generic Systems Engineering (SE)

Comparing SE and ISSE Activities

View All

Instructed By

Brad Rhodes

Head of Cybersecurity, zvelo & Lieutenant Colonel, Cyber Warfare

Instructor