Change management defines the process for any type of system modifications or upgrades. If you’re planning on taking the Security+ exam, this post should help to have basic understanding of change management policy.
For example, can you answer this question?
Q. A network administrator needs to update the operating system on switches used within the network. Assuming the organization is following standard best practices, what should the administrator do first?
A. Submit a request using the baseline configuration process.
B. Submit a request using the incident management process.
C. Submit a request using the change management process.
D. Submit a request using the application patch management process.
More, do you know why the correct answer is correct and the incorrect answers are incorrect? Answer and explanation at end of this post.
Change Management Goals
The worst enemies of many networks have been unrestrained administrators. A well-meaning administrator can make what appears to be a minor change to fix one problem, only to cause a major problem somewhere else. A misconfiguration can take down a server, disable a network, stop email communications, and even stop all network traffic for an entire enterprise.
For example, I once saw a major outage occur when an administrator was troubleshooting a printer problem. After modifying the printer’s Internet Protocol (IP) address, the printer began to work. Sounds like a success, doesn’t it? Unfortunately, the new IP address was the same IP address assigned to a Domain Name System (DNS) server, and it created an IP address conflict. The conflict prevented the DNS server from resolving names to IP addresses. This resulted in a major network outage until another administrator discovered and corrected the problem.
These self-inflicted disasters were relatively common in the early days of IT. They still occur today, but organizations with mature change management processes in place have fewer of these problems. Change management defines the process for any type of system modifications or upgrades. It provides two key goals:
- To ensure changes to IT systems do not result in unintended outages
- To provide an accounting structure or method to document all changes
Change Management and Change Requests
When a change management program is in place, administrators are discouraged from making configuration changes without submitting the change for review and approval. In other words, they don’t immediately make a change as soon as they identify a potential need for the change. This includes making any type of configuration changes to systems, applications, patches, or any other change. Instead, they follow the change management process before making a change.
Experts from different areas of an organization examine change requests and can either approve or postpone them. The process usually approves simple changes quickly. A formal change review board regularly reviews postponed requests and can approve, modify, or reject the change.
This entire process provides documentation for approved changes. For example, some automated change management systems create accounting logs for all change requests. The system tracks the request from its beginning until implementation. Administrators use this documentation for configuration management and disaster recovery. If a modified system fails, change and configuration management documentation identifies how to return the system to its prefailure state.
Patch management ensures systems are kept up to date and reduces risks associated with known vulnerabilities. However, patches can cause unintended outages, so many organizations include patch management processes within a change management process. When patch management is included with change management, the change management process provides documentation of the patches.
Remember this
Change management defines the process and accounting structure for handling modifications and upgrades. The goals are to reduce risks related to unintended outages and provide documentation for all changes.
Q. A network administrator needs to update the operating system on switches used within the network. Assuming the organization is following standard best practices, what should the administrator do first?
A. Submit a request using the baseline configuration process.
B. Submit a request using the incident management process.
C. Submit a request using the change management process.
D. Submit a request using the application patch management process.
Answer is C. The network administrator should submit a change using the change management process, which is the same process that is typically used for changes to any devices or systems.
A baseline configuration identifies the starting configuration.
Incident management addresses security incidents.
A regular patch management process typically includes following change management, but application patch management does not apply to devices.