Change Management in a High Security Environment

Written by: Lee Clemmer • Edited by: Jean Scheid
Updated May 15, 2011 • Related Guides: HIPAA

Secure IT environments have additional risks and challenges with change management. Whether the change management is in a development environment or in an operation, mission critical systems and high-value information requires additional vigilance in the change process. We'll discuss best practices.

High-Security Challenges

IT change management best practices and change control are always a challenge. Whether the environment is development, testing, integration or operations and maintenance, success requires knowing what changes happened when and why. In situations where security is critical, where privacy is paramount and the risk is great, sound change management becomes crucial.

High-security environments have higher risks as a matter of course. Extra care should be taken to ensure changes required by the discovery of one vulnerability or flaw do not introduce additional problems. Conversely, a change must happen promptly if the reason for the change is a patch for a security vulnerability and there is no other means of eliminating that vulnerability besides patching. Security constraints may be violated by changes--therefore changes in a secure system require additional auditing and validation. Ensuring new problems are not created by the change is important always, but especially so where security is high.

Need to Know

It is even more important because of either secrecy or limited access, configuration changes do not bypass defined change control policies. While in any sound change management structure only the approved changes should be implemented, this is even more critical when security is paramount. In highly secure IT environments, additional steps or stages for approval may be required for changes. Checking, logging, recording the changes made and reporting those changes to the appropriate parties is always important, but is extremely important in high-security situations. Incorrect information about the system state, configuration or other aspects of changes can bring about even bigger problems. Informing stakeholders in advance of the exact nature of the changes, what the risk is to the business, and a roll-back plan should all be part of your standard practice.

Other Considerations

click to enlarge

When data must remain private due to regulations such as the Health Insurance Portability and Accountability Act (HIPAA), additional examination or audit steps should also be taken during the change process. For systems that deal with financial data, we should ask: Can notification of a change or documentation of the change be a vulnerability or a risk? It may seem like an unlikely case, but consider you wouldn't want to inform burglars when the security system is going down for maintenance. A certain level of privilege or access may be important to even see or access change management proposals, decisions and related documentation. Printed material disposal such as shredding is important for hard copies of changes made in a secure system or environment. Always follow best practices for document retention and destruction.

Conclusions

Sound change Management plans and practices, when followed properly and consistently, work well in any InfoSec environment. Just because changes are urgent, critical, mandated, or even when they are just routine, do not ignore the proper policies, procedures, and processes specific to your high-security environment.

Don't just go through the procedures robotically. Carefully consider the risks, the impact, and the fall-back plan before you start. Afterward, remember to document the details: was the change completed successfully? Did the change pass follow-up tests as expected? Were all the stakeholders notified?

If you follow these IT change management best practices, you'll find success far more often when you are faced with a change to your secure information systems.

References

Lee Clemmer has over a decade of experience in IT, information security and project management.

Image Credit:

Datacenter - Wikimedia Commons/Public Domain