domain 1.3 book

The change advisory board (CAB)

The Change Advisory Board (CAB) is responsible for evaluating,prioritizing, and sanctioning these changes.

Business processes

Approval process: The approval process looks at the proposed change and the reasons behind it (for example, due to new technology or more stringent regulations). This change is sent to any affected stakeholders for input. This way, the approval process ensures that the project’s direction aligns with the organization’s goals.

Ownership: Ownership in change management refers to a person within a department who has asked for a change and will be responsible for ensuring that it is carried out effectively.In terms of security, clear ownership is crucial; this change might be handled by the Chief Information Security Officer (CISO). The CISO ensures that security tasks are carried out effectively and that there is accountability. An example could be ensuring that the proper level of encryption has been implemented. and security tasks have been monitored effectively.

Stakeholders: Stakeholders are individuals, groups, or entities that have a vested interest (or stake) in a company’s operations, activities, or outcomes.

Primary categories of stakeholders in a company

Shareholders/Investors: They own shares or have equity in a company. Their primary interest is in the company’s financial performance and the value of their investments.

Employees: Employee satisfaction, engagement, well-being, and development are important factors that impact a company’s productivity and reputation.

Suppliers: Suppliers provide the resources, materials, or components necessary for a company’s operations.

Creditors/bank: Creditors and lending institutions provide a company with financial resources through loans or credit.

Government and Regulatory Bodies: Government entities and regulatory bodies set the legal and regulatory framework within which the company operates.

Stakeholder management

Impact analysis: Before making changes, it’s important to analyze how they could impact the organization. In security, this means considering how a change could affect the overall safety of systems and data. This analysis helps in foreseeing potential security risks and finding ways to address them before they become real problems.

Test results: Test results give confidence that the security actions will protect the organization as expected.

Backout plan: In security operations, it’s a plan to undo a change if things go wrong.

Maintenance window: Think of a maintenance window as a scheduled time for fixing things.

Standard operating procedure: A standard operating procedure (SOP) is like a rulebook that guides how things should be done.

Technical implications

Allow lists/whitelists: An allow list grants access only to those on a list; this could be used on a firewall or by AppLocker that decides which applications and files can run. Whitelists ensure that only approved applications can be installed or run.

Deny lists/block lists: A deny list/block list operates by preventing access to those on the list; this could be used on a firewall to deny access.

Restricted activities: Restricted activities prevent actions that could potentially lead to vulnerabilities or disruptions. These activities include unauthorized software installations, unauthorized system modifications, direct access to critical servers, and access to sensitive data or unauthorized data transfers.

Several factors that impact change management

Downtime: This is where an organization’s systems have been taken offline either because of a system failure or maintenance being carried out.

Service restart: Shutting down or rebooting systems can disrupt legitimate user access to computing resources and hinder incident response and recovery efforts.

Application restart: Application restart vulnerabilities encompass potential security weaknesses that can emerge when an application is restarted. Improper restart procedures can cause data inconsistencies or corruption, potentially affecting the integrity of the application and its security measures.

Legacy applications: Legacy applications are those that have been used for a long time. These applications tend to have lower, outdated security measures and a lack of vendor support.

Documentation

Thorough documentation of changes ensures transparency, accountability, and a clear understanding of the changes being mad.

Updating diagrams: Keeping diagrams up to date (such as network topology or system architecture diagrams) supports a better understanding of the current environment.

Updating policies/procedures: Regularly updating policies and procedures to reflect changes is pivotal for maintaining a secure environment.

Version control

Proper version control ensures that only authorized changes are implemented. It prevents unauthorized modifications and provides an audit trail, which is crucial for security.