Incorporating change management
We won't go into detail about change management, but it is critical that you understand the importance of change management and its place in the overall security program. Your organization most likely has some form of change control process in place today. If not, it is highly recommended and critical that one is enabled to provide a more structured and reliable environment.
The following diagram provides an example of a change flow process that you could implement if you don't already have one in your environment:
Figure 2.2 – The change management flow process
Change management is typically part of a larger program, more specifically around service management. One of the more common frameworks to help with change management is Information Technology Infrastructure Library (ITIL).
Tip
To learn more about ITIL, go to https://www.axelos.com/best-practice-solutions/itil/what-is-itil.
As part of your security program, you will want to ensure that all of your baselines are signed off by management and are well documented. More importantly, you will need to ensure that the baselines are implemented with every deployment. If any exceptions or deviations from the baselines are needed, it is extremely important that the requests are pushed through the change management process and are audited. They will need to be reviewed and approved by the appropriate teams, which will most likely include sign off from someone in the security team who is part of the change process. The same will apply to any changes needed to the baselines. As hardware, software, and operating systems change, there will be a need to modify the baseline to adjust to the changes. These changes should also go through a change control process to ensure everyone agrees to and approves the changes.
Important note
If a security incident occurs on a system where a baseline isn't correctly applied and approvals are not received for that exception, you could be putting your company and, more importantly, your own role at risk.
Next, let's take a look at security frameworks and widely adopted frameworks that can be incorporated into your own security program.