🛠️

Technical Perspectives on Change Control Process

Jun 12, 2024

Technical Perspectives on Change Control Process

Overview

  • Change management involves both the managerial and actual implementation processes.
  • Implementation is often handled by technical staff.
  • Complexity increases with the number of devices in the environment.

Roles in Change Control

  • Technical Staff: Responsible for executing changes.
  • Examples of changes:
    • Modifying allow lists and deny lists.
    • Managing specific application permissions to ensure security.

Allow Lists & Deny Lists

  • Allow List: Only specified applications can run.
    • Tight control, everything else is blocked.
  • Deny List: Blocks specified applications.
    • More flexible, most applications can run except those on the list.
    • Example: Antivirus software uses a deny list approach.

Change Control Board (CCB)

  • Submits changes with a documented scope.
  • Limits changes to what is specifically listed.
  • Example: Upgrading printer drivers within a 2-hour window.

Scope Adjustment

  • Sometimes required to achieve primary change goals.
  • Policies may allow simple modifications to stay within scope.
  • Importance of well-documented processes for handling scope changes.

Downtime and Scheduling

  • Downtime Considerations: Changes don’t always mean downtime but it’s often expected.
  • Scheduling Changes:
    • Non-production hours (overnight/low-usage times) are ideal.
    • For 24x7 operations, alternative methods like primary-secondary system switches are used.

Communication About Downtime

  • Notify all stakeholders about potential outages.
  • Methods: Emails, centralized Change Control calendar.

Reboots and Restarts

  • Often required for changes to take effect.
  • Could involve:
    • Rebooting the entire system.
    • Power cycling physical devices.
    • Restarting specific services or applications.

Managing Legacy Applications

  • Challenges:
    • Often unsupported by developers.
    • Organization might lack internal expertise.
  • Solutions:
    • Document the application and installation process.
    • Bring into normal support cycles, despite possible idiosyncrasies.

Dependencies in Change Control

  • Changes may affect multiple applications/services.
  • Must account for dependencies, which complicate the process.
  • Example: Firewall updates requiring concurrent updates to management software.

Documentation and Version Control

  • Importance of Continuous Documentation
    • Prevents outdated information.
    • Documentation should be updated with every change.
  • Version Control
    • Tracks changes to configurations and software.
    • Facilitates reverting to previous versions if needed.
    • Requires either built-in tools in applications/OS or third-party systems.

Conclusion

  • Change Control is a dynamic process that requires careful planning and documentation.
  • Dependencies, legacy applications, and scheduling are significant challenges.
  • Effective communication and version control are crucial for seamless change implementation.

Full transcript