Change Management

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
5 hours 58 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Transcription
00:00
>> Welcome back to Cybrary,
00:00
yes of course, I'm your instructor, Brad Rhodes.
00:00
Let's jump into change management.
00:00
Throughout the course of our time together,
00:00
we have spent a lot of
00:00
time talking about change management.
00:00
We've mentioned it,
00:00
I don't know how many lessons and modules,
00:00
but you might get the feeling that it's
00:00
important for [inaudible], it is.
00:00
In this video we're going to talk about
00:00
change management basics and
00:00
the change management process.
00:00
Change management basics, there's
00:00
four things I want you to remember,
00:00
one, change management
00:00
are the activities focused on things that change.
00:00
When we think about security controls,
00:00
systems and stuff like that,
00:00
those are technical controls,
00:00
those are non-technical controls
00:00
those are detective, those are prevented.
00:00
All of those controls can change, all of the things,
00:00
anything in your system and
00:00
the complex environments that
00:00
>> you operate in can change.
00:00
>> By making a change,
00:00
you can actually create
00:00
a vulnerability and be the cause of a breach,
00:00
and so change management is incredibly
00:00
important and it's a very focused activity set.
00:00
The next thing we're going to talk about is
00:00
configuration items.
00:00
That's where we determine
00:00
what the heck it is we're going to control.
00:00
What do we manage? What are we looking
00:00
at from a configuration process?
00:00
That could be hardware, routers, switches,
00:00
that could be software, it could be
00:00
what Linux server version you're running.
00:00
It could be firmware.
00:00
Think Wi-Fi access points,
00:00
they have firmware that needs to be updated.
00:00
Well, maybe we configuration
00:00
control that because we have say,
00:00
specific users on specific devices that if you
00:00
upgrade the firmware without
00:00
telling them they have problems.
00:00
Documentation, we've talked
00:00
about those nontechnical things,
00:00
those can be configuration items.
00:00
Anything that could potentially be changed in
00:00
the change management process that
00:00
could potentially have impact to systems,
00:00
system of interests, controls,
00:00
whatever, can be a configuration item.
00:00
The next thing is a baseline configuration.
00:00
That's the starting point.
00:00
You've probably heard of system baselines
00:00
when you're thinking about security,
00:00
so it's akin to that,
00:00
that's a good analogy to draw.
00:00
When we're thinking about security controls or
00:00
security systems or information security in general,
00:00
when we do a baseline configuration,
00:00
we are agreeing as to what that is, that's the baseline.
00:00
You can create a baseline all you want.
00:00
But if nobody agrees with you
00:00
that that's the baseline for
00:00
that particular say control, it doesn't matter.
00:00
You've got to do a baseline.
00:00
Then of course the last piece in
00:00
change management basics is the board.
00:00
This is a group of qualified people.
00:00
Let me caveat that.
00:00
Qualified people means many things
00:00
when it comes to change control boards.
00:00
You may be invited as an SE to sit on
00:00
a change control board with a bunch of
00:00
management people that if you said something technical,
00:00
they would have no idea what you said, and that's okay.
00:00
But ultimately change control boards are in many cases
00:00
made up of stakeholders who have
00:00
some input and have
00:00
some knowledge of and maybe have
00:00
a steak or a need to be on the board.
00:00
That's what happens there.
00:00
In many organizations, you're
00:00
going to have people on your change or
00:00
configuration control board that
00:00
aren't technical and that's okay.
00:00
But they have an interest in what changes you make
00:00
because it might break things for
00:00
customers that they have to deal with.
00:00
Very important that you
00:00
know what that group of folks is going to do,
00:00
they're the ones that approve the changes.
00:00
Depending on how you do it, it might have to be
00:00
a unanimous approval or it might be a majority approval.
00:00
It's going to be organizationally dependent,
00:00
but those are the four parts of change management.
00:00
When we think about the change management process,
00:00
it's very important, there's
00:00
four steps here. We start with the plan.
00:00
Obviously, if you don't start with the plan,
00:00
you don't know what you're doing, so have a plan.
00:00
The next thing is those baselines
00:00
we talked about previously.
00:00
You have to decide what are the baselines
00:00
that you're going to work the change is offer.
00:00
If you don't have a baseline
00:00
and it's continually moving target,
00:00
there is absolutely no way
00:00
that you can do change management.
00:00
It is impossible, so you have to have a baseline.
00:00
The next part is the change control.
00:00
Change control is the board.
00:00
Change control is the list of configuration items.
00:00
Change control is the general change management basics
00:00
and process that we're talking about right now.
00:00
It's the act of doing the change control,
00:00
that's what change control is.
00:00
Then of course, the last thing in
00:00
a change management process should not
00:00
surprise you at all because we've
00:00
talked about this previously,
00:00
and common continuous monitoring is the monitoring piece.
00:00
You have to monitor your systems.
00:00
You actually have to have monthly, weekly,
00:00
whatever it is, depends on complexity
00:00
and needs of your organization.
00:00
You've got to have meetings about this,
00:00
you have to go and ask,
00:00
are there any changes that need to be made?
00:00
You need to have a process by which people
00:00
submit changes as part of the plan
00:00
and part of that change control so that they can be
00:00
adjudicated appropriately by the change control board
00:00
and ultimately monitored,
00:00
and by the way, impacts assess if a change is
00:00
going to be significant to the organization.
00:00
This change management processes is cyclical
00:00
and you've got to do
00:00
that monitoring piece because just like risk management,
00:00
just like everything else, if you're
00:00
not doing continuous monitoring here,
00:00
you are going to expose yourself
00:00
to vulnerabilities and a potential breach.
00:00
What did we cover in this lesson?
00:00
We looked at change management
00:00
basics and highlighted the need
00:00
for identifying configuration control items
00:00
and having a baseline.
00:00
Then we talked about the change management process,
00:00
which in my opinion is the most important.
00:00
Part of that is the monitoring, if we don't monitor,
00:00
we're going to miss something. We'll see you next time.
Up Next