Change and/or configuration management systems always seem to fall on the back burner while businesses are growing. After all, who has time to implement a thorough documentation process for every single change that happens in your digital environment?
This goes on for a while, knowing you'll get to it one day, when suddenly an auditor arrives in your office asking for proof! Don't wait around. Let's get into the details of change management, and beat that auditor to the punch!
This blog is an excerpt of a recent webinar.
Don't want to read the article? Watch the full recording below.
Be sure to register here for the "Cybersecurity for Business Leaders" Lunch & Learn series!
Table of Contents
What is a Change Management Program
The Pieces of a Change Management Program
Configuration and Change Management (CM) Programs are company-set standards for documenting and managing all modifications made in an organization's technical environment.
Every company's expectations and directions will be different depending on industry, cyber insurance requirements, and relevant cybersecurity standards.
CM Programs are comprised of a mixture of technical solutions, software, and people. Change management is typically implemented first, consisting mostly of processes and people. From there, configuration management is added, involving software for a ticketing management database.
Without Change Management and Configuration Management Programs, you truly cannot know what is occurring on your network. You need to be able to monitor events as they happen for cybersecurity purposes. Was the change expected? Did it deliver the desired result?
Add in the layer of regulatory compliance and cyber insurance, and things get even more serious. Federal contractors, like those under CMMC compliance, must have a CM program setup and documented for auditors!
Regardless of industry or necessary regulatory compliance level, CM programs can help keep your business in line with documented and measurable tasks, goals, and outcomes.
Let's take a look at all of the high level components I view as necessary to a successful CM implementation. Keep in mind, depending on the size and/or type of organization, each of these could be their own project with dedicated time, resources, etc.
You simply can't have a CM program without solid documentation cover all policies, procedures, and processes. Your people have to know where to go to find the details, and you can't train them or provide evidence to your auditor without it.
Without documented baselines, you'll never know if the changes or configurations you modified actually had an impact on your network. This is crucial information for version control and over system administration.
There are a hundred ways to keep your asset inventory documentation up to date. From free options to fully integrated systems that cost thousands. The best method is up to you. However, once you have an updated inventory, you need to complete a cost benefit analysis for each item. Compare the man-hours of a cheaper alternative with a higher up-front cost of a fully automated software. See what works best for you.
Everyone in the company needs to know the process for filling out a change request (CR) form. Set realistic expectations for approval and implementation as well.
You'll likely need to establish a Change Control Board (CCB) for project related items, and a Change Advisory Board (CAB) for service lifecycle support. Each board member will be assigned roles and responsibilities. This can be as simple as a two or three person team, maybe one from software development along with a cybersecurity specialist, that reviews all changes in your organization. Regardless of size, the bottom line is, your business needs a set group of people to review all potential changes to your network.
We frequently see changes implemented to address a vulnerability, only to have another vulnerability opened up afterwards. Things like this need to be considered when reviewing changes, and it's important to work hand in hand with your cybersecurity team throughout the process.
For each requested change, you need to document the impact on the business for both approval and denial, along with the input from all approvers. All departments need to be considered in this process!
While this is more audit-based, having a repository of all previous agendas and requests will help every business. You need to keep these records for approved, denied, and in-process requests as a sort of continuous integration.
This part can be expensive, but it's crucial for your business to have all the necessary software to enforce baselines and keep your infrastructure in its desired state. Most organizations seem to skip this step and rely on an "honor system" of sorts, hoping everyone is adhering to the necessary guidelines. This can (and eventually WILL) cause problems, especially when an emergency change occurs and your team is rushing to complete a project. Having the necessary quality assurance software in place ensures that you stay safe, even when mistakes are made.
Obviously, there are multiple steps to consider before your business undertakes the effort of creating a CM program. Here are a few of the challenges you'll encounter during the process:
If you're prepared for the challenges, you'll need to know the immediate next steps to take:
While it does seem like a massive undertaking, creating a Change Management Program for your business is a worthwhile, and in many cases, necessary task. If you're having trouble or feeling overwhelmed, reach out to us! Our team will be more than happy to help you build the best program possible!