Change Management Flashcards
What is change management?
A structure plan and process for introducing changes to an environment. Communication and documentation are key. Type of CM depends on organisational needs. Sets standards, ensures accountability, keeps everyone informed. Enables proper tracking of environment.
What are three different types of changes?
- planned major changes
- break/fix or maintenance
- emergency changes
Discuss planned changes
- usually larger scale changes
- new equipment or vendors
- thoroughly researched and documented
- entire process is typically used
- can have multiple meetings
- typically takes longer to implement
Discuss break/fix or maintenance changes
- typically non-downtime issues
- user reported or admin identified
- example: software config changes, simple hardware upgrade/replacement, routine maintenance work
- typically shorter timeframes
-normally scheduled, unless major then emergency change
Discuss emergency changes
- Normally major issues
- commonly involve some sort of downtime
- must be addressed immediately (not scheduled)
- still requires approvals
- abbreviated process used
- root cause analysis
Discuss detecting changes
Software and hardware baselines - point of reference used for comparison, must know what “normal” looks like
Monitoring baselines - automated/ routine audits
What are the two change environments?
- PRODUCTION - main network and systems, changes should not be tested here, downtime can affect business
- TEST/DEVELOPMENT - duplicate of production environment (partial or complete). Changes are tested and adjusted here. No loss have business functions if problems. May have multiple test environments.
What is the change management lifecycle?
- Change introduction
- Research & documentation
- Review
- Implement
- Learn
Outline change introduction phase
- Changes are initially proposed (new deployments, changes to existing systems, major or minor changes)
- Submission process (manual forms, automated process)
- Basic information is gathered (vendors, various departments, coworkers)
Outline research and documentation phase
- bulk of research in this phase (whitepapers, vendor documentation, meetings)
- documentation formalised and organised (security documentation and attestation, deployment diagrams, network topology)
- involvement depends on size of project (multiple teams/ departments, single person)
- implementation timeline developed
- all information and documentation is consolidated
Outline the review phase
- Can be one meeting or multiple meetings
- Who reviews? (project owners, IT, cyber security, any other necessary stakeholders)
- Additional questions asked in this phase (need more documentation? another vendor call? additional people or resources?)
- If approved, moves to implementation phase
Outline implementation phase
- implementation timeline is verified and adjusted if necessary
- goals and milestones established
- tasks assigned to individuals or teams
- time scheduled
- procurement (resources allocated, any needed licences or hardware)
- baselines established and verified
- timeline, tasks, resources, and goals constantly monitored
Outline the learning phase
- continuous throughout entire process
- can be formalised meeting
- what could be done differently?
- what were roadblocks?
- what were successes/wins?
- Root cause analysis (RCA)
What are other considerations in the change management process?
Questions to ask vendors - who supports system and how, anti-virus other security controls, who patches and what patches approved, what access is need? - network access, storage access, internet
What happens if process not followed?
- unknown changes
- improper documentation of environment
- system downtime/outages
- other planned changes may be adversely affected
