Understand and Participate in Change Management Processes
In this part of this tutorial, we’ll take a look at change management processes to help you understand the different aspects of change management processes. System, network, and application always require changes. A system that does not change will become less secure over time, as security updates and patches are not applied.
So restricted change management or change control process needs to be followed. Change management is the process used to control architectural and configuration changes in a production environment. It is a formal process of request, design, review, approval, implementation, and recordkeeping.
There are some steps that are common across most organizations are in change management process, described here:
- Identify the need for a Change: For example, you might find out that a routers is vulnerable to a Dos attack, so its configuration must update.
- Test the change in a Lab: Do not apply the change all at once without prior testing. Test the change in a non-production environment to ensure that the proposed change is error-free and compatible with the production environment. Of course, this test can also be used to document the implementation process and other important details.
- Put in a Change Request: A change request is a formal request to implement a change. This request includes many details. For example the proposed date of the change, the details of the work, the impacted systems, notification details, testing information, and rollback plans, and etc.
- Obtain Approval: Usually, a committee that runs change management, will meet weekly or monthly to review change requests. The people that have submitted the changes meet to discuss the change requests, ask questions and vote on approval. If approval is granted, change management process moves on to the next step. If not, it must restart the process.
- Send out Notifications: Sometimes, the implementation team, handles the communications. The purpose is to communicate to impacted parties, management and IT about the upcoming changes.
- Perform the Change: Within a system, some changes are performed immediately, and some take time. It is recommended that you record the current configuration in each step at each stage of the change and before applying the change, so that if adverse results occur after the change is applied, you can return to the previous configuration.
- Send out “all clear” Notifications: These notifications indicate success or failure.