Change management defines the process for any type of system modifications or upgrades. If you’re planning on taking the Security+ exam, this post should help to have basic understanding of change management policy.
For example, can you answer this question?
Q. A network administrator needs to update the operating system on switches used within the network. Assuming the organization is following standard best practices, what should the administrator do first?
A. Submit a request using the baseline configuration process.
B. Submit a request using the incident management process.
C. Submit a request using the change management process.
D. Submit a request using the application patch management process.
More, do you know why the correct answer is correct and the incorrect answers are incorrect? Answer and explanation at end of this post.
Change Management Goals
The worst enemies of many networks have been unrestrained administrators. A well-meaning administrator can make what appears to be a minor change to fix one problem, only to cause a major problem somewhere else. A misconfiguration can take down a server, disable a network, stop email communications, and even stop all network traffic for an entire enterprise.
For example, I once saw a major outage occur when an administrator was troubleshooting a printer problem. After modifying the printer’s Internet Protocol (IP) address, the printer began to work. Sounds like a success, doesn’t it? Unfortunately, the new IP address was the same IP address assigned to a Domain Name System (DNS) server, and it created an IP address conflict. The conflict prevented the DNS server from resolving names to IP addresses. This resulted in a major network outage until another administrator discovered and corrected the problem.
These self-inflicted disasters were relatively common in the early days of IT. They still occur today, but organizations with mature change management processes in place have fewer of these problems. Change management defines the process for any type of system modifications or upgrades. It provides two key goals:
- To ensure changes to IT systems do not result in unintended outages
- To provide an accounting structure or method to document all changes
The 601 Version of the Study Guide
The CompTIA Security+: Get Certified Get Ahead: SY0-601 Study GuideEach of the eleven chapters presents topics in an easy to understand manner and includes real-world examples of security principles in action.
You’ll understand the important and relevant security topics for the Security+ exam, without being overloaded with unnecessary details. Additionally, each chapter includes a comprehensive review section to help you focus on what’s important.
Over 300 realistic practice test questions with in-depth explanations will help you test your comprehension and readiness for the exam. The book includes:
- A 75 question pre-test
- A 75 question post-test
- Practice test questions at the end of every chapter.
Each practice test question includes a detailed explanation to help you understand the content and the reasoning behind the question. You’ll be ready to take and pass the exam the first time you take it.
If you plan to pursue any of the advanced security certifications, this guide will also help you lay a solid foundation of security knowledge. Learn this material, and you’ll be a step ahead for other exams. This SY0-601 study guide is for any IT or security professional interested in advancing in their field, and a must-read for anyone striving to master the basics of IT security.
Change Management and Change Requests
When a change management program is in place, administrators are discouraged from making configuration changes without submitting the change for review and approval. In other words, they don’t immediately make a change as soon as they identify a potential need for the change. This includes making any type of configuration changes to systems, applications, patches, or any other change. Instead, they follow the change management process before making a change.
Experts from different areas of an organization examine change requests and can either approve or postpone them. The process usually approves simple changes quickly. A formal change review board regularly reviews postponed requests and can approve, modify, or reject the change.
This entire process provides documentation for approved changes. For example, some automated change management systems create accounting logs for all change requests. The system tracks the request from its beginning until implementation. Administrators use this documentation for configuration management and disaster recovery. If a modified system fails, change and configuration management documentation identifies how to return the system to its prefailure state.
Patch management ensures systems are kept up to date and reduces risks associated with known vulnerabilities. However, patches can cause unintended outages, so many organizations include patch management processes within a change management process. When patch management is included with change management, the change management process provides documentation of the patches.
Remember this
Change management defines the process and accounting structure for handling modifications and upgrades. The goals are to reduce risks related to unintended outages and provide documentation for all changes.
Q. A network administrator needs to update the operating system on switches used within the network. Assuming the organization is following standard best practices, what should the administrator do first?
A. Submit a request using the baseline configuration process.
B. Submit a request using the incident management process.
C. Submit a request using the change management process.
D. Submit a request using the application patch management process.
Answer is C. The network administrator should submit a change using the change management process, which is the same process that is typically used for changes to any devices or systems.
A baseline configuration identifies the starting configuration.
Incident management addresses security incidents.
A regular patch management process typically includes following change management, but application patch management does not apply to devices.
