Welcome back to CyberRays. It's of course, I'm your instructor. Brad Roads. Let's jump into change management.
So throughout the course of our time together, we have spent a lot of time talking about change management. We've we've mentioned it. I don't know how many lessons and modules, but you might get the feeling that it's kind of important for an ISI. It is. So in this video, we're going to talk about change management basics and the change management process.
So change management basics. There's four things I want you to remember. One change management. Are the activities focused on things that change right? And when we think about security control systems and stuff like that, those air technical controls, those air nontechnical controls, those air detective those were prevented. All of those controls can change all of things. Anything in your system,
in the complex environments that you operating can change,
and by making a change, you can actually create a vulnerability and be the cause of a breach. And so change management is incredibly important, and it's a very focused activity set.
The next thing we're gonna talk about is configuration items. That's where we determine what the heck it is we're going to control. What do we manage? What are we looking at from a configuration process? And that could be hardware router switches that could be software. It could be what, what? Lennox server version you're running. It could be firmware. Um,
I think WiFi access points. They have firm where that needs to be updated. Well, maybe we configuration control that because we have, say,
specific users on specific devices that if you upgrade the firmware without telling them they have problems, right? Documentation, right. We talked about those non technical things. Those can be configuration items, anything that could potentially be changed in the change management process that could potentially have a impact, too.
System, system of interest controls, whatever right
can be a configuration item.
The next thing is a baseline configuration. And so that's the starting point, right? You probably heard of system baselines when you're thinking about security, so it's akin to that. That's a That's a good sort of analogy to draw when we're thinking about security controls or security systems or information security in general.
When we do a baseline configuration, we are agreeing
as to what that is that's the baseline, right? You can create a baseline all you want. But if nobody agrees with you, that that's the baseline for that particular say control, it doesn't matter.
So you got to do a baseline.
And then, of course, the last piece and change management basics is the board right? This is a group of qualified people, so let me caveat that qualified people means many things when it comes to change control boards. Um, you may be in. You may be invited as an issue to sit on a change control board with a bunch of management people that if you said something technical, they would have no idea what you said. And that's okay.
But ultimately, change control boards are
in many cases made up of stakeholders, right who have some, some import and have some knowledge of, and maybe have a steak or a need to be on the board right? That's that's what happens there. In many organizations, you're gonna have people on your change, your configuration control boards
that aren't technical, and that's okay.
But they haven't interest in what changes you make, because it might break things for customers that they have to deal with and so very important that you know that what that group of folks is going to dio they're the ones that approved the changes,
right? And depending on how you do it, it might have to be a unanimous approval or it might be a majority approval, so it's gonna be organizationally dependent. But those are the four parts of change management.
So when we think about the change management process, it's very important. There's four steps here.
We start with the plan,
so obviously, if you don't start with the plan, you don't know what you're doing. So I have a plan. The next thing is those baselines we talked about previously. You have to decide what are the baselines that you're going to work that changes off of If you don't have a baseline and it's a continually moving target, there is absolutely no way that you could do change management. It is impossible,
so you have to have a baseline.
The next part is the change. Control and change control is the board change. Control is the list of configuration items. Change control is the general change management basics and process that we're talking about right now. It's the act of doing the change control. That's what change control is.
And then, of course, the last thing in the change management process should not surprise you at all, because we've talked about this
previously on conman. Continuous monitoring is the monitoring piece you have to monitor your systems you actually have toe have monthly weekly. Whatever it is depends on complexity and needs of your organization. You've got to have meetings about this. You have to go and ask. Are there any changes that need to be made? You need to have a process by which people submit changes
as part of the plan and part of that change control so that
they can be adjudicated appropriately by the Change Control Board and ultimately monitored. And oh, by the way, impact success if the change is going to be significant to the organization. And so this change management processes signal is cyclical, and you've got to do that monitoring piece because just like risk management, just like everything else. If you're not doing continuous monitoring here,
you are going to expose yourself to vulnerabilities
and a potential breach.
So what do we cover in this lesson. We looked at change management basics,
uh, and highlighted the need for identifying configuration control items and having a baseline. And then we talked about the change management process, which, in my opinion, is the most important part of that is the monitoring. If we don't monitor, we're gonna miss something.
We'll see you next time.