The Importance of Change Management
When we think of strategic security measures, we often think of policy, standards, procedures, firewalls, intrusion detection and intrusion prevention systems, security information and event management systems, network access control, VPNs, identity management systems, personal firewalls, anti-virus software, and the like. Strangely, we too often overlook change management and its value in risk mitigation. Wikipedia defines change management as “the process during which the changes of a system are implemented in a controlled manner by following a pre-defined framework/model with, to some extent, reasonable modifications.” Change management can range anywhere from an informal process involving little more than advance notification of the intention to make a change (something that may be adequate for small groups and organizations) to a formal process that requires change requests to be written and submitted to a change control board that reviews and ultimately approves or disapproves them.
Why is change management so important in information security? I can think of several major reasons:
1. New sources of risk or elevation in the severity of currently identified risks often accompany change. Software is one of the best examples. Changes in production code can easily result in new coding errors as well as new functions that compromise security.
2. Changes in the configuration of systems and network devices can (deliberately or accidentally) result in new potential avenues of attack. For example, a network administrator who opens TCP port 23 on a firewall to help a colleague on travel who is having trouble getting access to a host within the internal network also increases the likelihood of successful attacks via this port.
3. Without change control in effect, anarchy can easily prevail. Any person can make any desired change. Inconsistency in settings, code substitutions and revisions, and other areas increases attackers’ likelihood of success—all the attacker must do is find and exploit one weak setting or code segment.
4. Change management decisions are the outcome of thinking by multiple people, people who generally are chosen to be on change control committees or boards because they possess the necessary qualifications. As such, the result is often collective wisdom—a better thought out and better reasoned decision than any one person wanting to make a change can reach.
5. Change management helps prevent fraud. Fraud perpetrators almost invariably change something in systems and applications. If effective, change detection processes implemented as part of a change management effort will discover the perpetrator’s changes and report them, thereby leading to identification of the fraud attempt.
6. Change management normally results in traceability that enables people to determine why a configuration is the way it is and when the decision that resulted in the change was made. Why? Change management decisions are normally documented and archived. Traceability can in turn lead to better current and future decisions about security.
7. Change management is part of good information security governance. But I’ve published a series of blogs on information security government several years ago, so I will not belabor this point.
Several years ago my friend, Gene Kim of Tripwire, and three others conducted a study of high performing IT organizations. They led discussions, administered self-assessment surveys, performed observations of each organization’s IT processes, looked at source documents, and analyzed trouble tickets. Once they had amassed a considerable amount of data, they performed a factor analysis, a statistical method designed to discover common factors in data and the statistical loading (magnitude) of each factor. Change management was by far and away the most important variable identified in the study.
So here is my question to security professionals. We know that change management is *that* critical in security risk mitigation. So why are we not including more content related to our information security policies and standards? Much to my chagrin, I looked at the information security policy that I wrote when I was the CISO of High Tower Software. There was not a single mention of change management—shame on me! The same was true of the standards that I wrote. And I suspect that the disconnect between knowing about the importance of change management and integrating it into critical documents is more widespread than just with myself. So this is a challenge—take a look at your policy and standards to determine to what degree change control requirements have been adequately addressed. You may be surprised!