Change is a necessary evil in our environments. No matter how well we plan, there are going to be exploits against our software and hardware, and the product vendors are going to release new software to address those exploits. The key to managing these changes is to implement an effective change control policy.
We need to plan for changes before we make them. This can be done by identifying the need for a change, defining the scope of the change, identifying the change that will be made, performing a risk analysis, planning the change, and then testing the change. Once the change-planning process is complete, we are ready to manage the change. This can be done by defining the change management team, communicating the change, defining the implementation team, updating all documentation and diagrams, and finally reviewing the change for effectiveness.
Change control will only help us if we make sure we have upper management support before undertaking the change control process. We must then ensure that we build a flexible change control process that addresses the different types and degrees of importance and timeliness of changes in our environments. Finally, we have to remember that change control is a learned habit, and it takes time, training, and patience before it becomes a part of our normal routine.
The most common changes we will make in our environments are applying patches and updates from vendors to address security and other issues. Before we apply a patch, however, we have to identify and understand the terminology our vendors use to identify how to address an exploit or vulnerability. We also must remain informed not only of new vulnerabilities and exploits, but of new updates to address any existing or potential vulnerabilities and exploits. If necessary, we need to budget and plan for purchasing a maintenance or support agreement to ensure we have timely access to software updates. We must define a policy and procedure for updating our systems as well as ensure that all changes go through change control to minimize the risk of updating our systems. Finally, we must apply updates to our systems in a timely fashion to ensure that our systems are as protected as quickly, and safely, as possible.