Chapter 18 – Change Management docx
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (138.92 KB, 8 trang )
Security+
All-In-One Edition
Chapter 18 – Change
Management
Brian E. Brzezicki
Change Management
Change Management
Computer Software, Systems and Networks are
complex growing systems. They constantly evolve
and their ability to be understood and recreated as
well as proven integrity issues are critical to an
organizations health and security.
Can anyone think of the system they run… what
happens if the building burned down and you had to
recreate a system. How would you do that if you had
no change control and documentation?
Change Management
Whether regulated (ex. SOX) or not,
organizations should always implement
change management controls and follow best
practices. Change management should occur
throughout all product, systems, and networks
lifecycles. This includes
•
Software development and revision control
•
Network and system configuration
•
Software and system patches
Change Management Process
1. Request Change
2. Change Management Board approves
Changes (who is that… next)
3. Change is documented
4. Change is tested
5. Change is implemented
6. Change is reported to management
Change Control Board
Who might be on the Change Control Board?
•
Project Managers
•
Network Administrators
•
Systems Administrators
•
Security Administrators
•
Operations Managers
•
Help Desk Managers
•
Others… as required
Separation of Duties
Separation of duties is important to change
management to ensure no party can subvert or skip
the change management procedures. Some best
practices
•
Jobs of development, building, and installing
software should be different people
•
Software developers should not be part of the
QA/test team
•
Software developers should not have access to
install the software on production machines
•
System admins should not have access to the
source code
Chapter 18 - Review
Q. What is the purpose of change control?
Q. Why is it important that a developer not
have access to a production system and
data?
Q. Why is it important that an admin not have
access an applications source code and
compilers?
Q. What is regression testing?
