Understanding Change Management's Security Impact

By

Date: Aug 5, 2024

Return to the article

This chapter examines the critical role of change management processes in fortifying an organization’s cybersecurity posture. Change management minimizes unplanned outages due to unauthorized alterations by helping to manage cybersecurity and operational risks. This chapter covers the following topics related to Objective 1.3 of the CompTIA Security+ SY0-701 certification exam: Business processes impacting security operation, Technical Implications, Documentation, and Version control.

This chapter covers the following topics related to Objective 1.3 (Explain the importance of change management processes and the impact to security) of the CompTIA Security+ SY0-701 certification exam:

This chapter examines the critical role of change management processes in fortifying an organization’s cybersecurity posture. Change management is more than just an administrative task; it is a significant component of audit and compliance requirements, providing a structured approach for reviewing, approving, and implementing changes to information systems. Change management minimizes unplanned outages due to unauthorized alterations by helping to manage cybersecurity and operational risks. The process typically involves well-defined steps, such as requesting, reviewing, approving, or rejecting and testing, scheduling, implementing, and documenting changes. These steps can serve as a blueprint for standard operating procedures (SOPs) in change management, ensuring that each alteration is systematically vetted and executed. As you will see throughout this chapter, a structured approach is vital for maintaining the integrity and resilience of security mechanisms in the face of a constantly evolving threat landscape.

“Do I Know This Already?” Quiz

The “Do I Know This Already?” quiz enables you to assess whether you should read this entire chapter thoroughly or jump to the “Chapter Review Activities” section. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics, read the entire chapter. Table 3-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. You can find the answers in Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes and Review Questions.”

Table 3-1 “Do I Know This Already?” Section-to-Question Mapping

Foundation Topics Section

Questions

Business Processes Impacting Security Operations

1–4

Technical Implications

5–7

Documentation

8, 9

Version Control

10

CAUTION

The goal of self-assessment is to gauge your mastery of the topics in this chapter. If you do not know the answer to a question or are only partially sure of the answer, you should mark that question as wrong for purposes of self-assessment. Giving yourself credit for an answer you correctly guess skews your self-assessment results and might provide you with a false sense of security.

1. Which of the following can be a consequence of an ineffective approval process?

  1. It can lead to poorly vetted changes being implemented, inadvertently introducing new system vulnerabilities.

  2. It can lead to a more comprehensive security solution.

  3. It can lead to failure of asset ownership protocols.

  4. It can cause communication problems between stakeholders.

2. Who is responsible for defining an asset’s security requirements, managing its risk profile, and addressing any vulnerabilities in the system?

  1. Stakeholders

  2. Customers

  3. Owners

  4. Approvals

3. Who are stakeholders, in the context of security operations in an organization?

  1. Only the IT staff

  2. Only individuals or groups external to the business

  3. Only customers

  4. Any individual or group vested in the organization’s security posture, which can include system users, IT staff, management, customers, investors, and any entity affected by a security breach or whose actions could impact the organization’s security posture

4. What is the role of an approval process in an organization’s security operations?

  1. To define the asset’s security requirements

  2. To manage the risk profile of assets

  3. To dictate how changes impacting security are approved and who holds the authority to make such decisions

  4. To establish the accountability of asset owners

5. What is the primary purpose of an allow list in a system’s security?

  1. To list all actions that are disallowed in the system

  2. To approve inputs a user or machine can perform in the system

  3. To list all the modifications to security protocols

  4. To identify the potential consequences or effects of a technology-related decision or event

6. What is the purpose of restricted activities in a computer or network system?

  1. To disrupt business operations and negatively impact employee productivity

  2. To list the potential consequences of a technology-related decision

  3. To uphold cybersecurity standards by limiting or prohibiting specific actions or operations

  4. To approve specific actions or operations

7. Why is understanding the technical implications of any new or existing system crucial in security operations?

  1. It is needed for the approval process.

  2. It helps in maintaining functionality and security for the system.

  3. It helps in defining the restricted activities.

  4. It assists in implementing deny lists.

8. Why is maintaining up-to-date documentation crucial in IT or cybersecurity operations?

  1. It is essential for updating policies and procedures.

  2. It ensures a clear understanding of system operations, facilitates staff training, and helps in troubleshooting issues.

  3. It helps in updating diagrams of systems or networks.

  4. It assists in managing network interfaces.

9. What is the significance of updating diagrams in IT and cybersecurity?

  1. It aids in creating user guides and technical specifications.

  2. It assists in understanding the rules governing how IT systems are used and secured.

  3. It ensures that everyone has an accurate and current picture of the systems, enhancing troubleshooting and system upgrades.

  4. It helps in updating policies and procedures.

10. Why is version control vital in IT and cybersecurity domains?

  1. It makes it possible to track changes to files, pinpoint when and by whom those changes were made, and, if necessary, revert to an earlier version.

  2. It helps to ensure the security of the data in the files.

  3. It allows the user to duplicate files for various purposes.

  4. It aids in the encryption of the files.

Business Processes Impacting Security Operations

Security operations in any organization are often heavily influenced by various business processes. A business process is a set of coordinated tasks and procedures that an organization uses to accomplish a specific organizational goal or to deliver a particular product or service. Each process—be it approval mechanisms, ownership protocols, stakeholder interactions, impact analysis, or test results evaluation—has the potential to shape the organization’s security posture. For instance, an ineffective approval process could lead to poorly vetted changes being implemented and new system vulnerabilities inadvertently being introduced. It’s important to note that the effectiveness of business processes is often gauged using performance baselines. A performance baseline serves as a standard measure to assess the impact of any changes on security, ensuring alignment with organizational security objectives.

On the other hand, a robust ownership protocol ensures that each asset, such as a data set or an application, has an assigned custodian, and ensures that its security requirements are regularly reviewed and addressed. Understanding the interaction between these business processes and security operations is crucial for maintaining a strong security stance and safeguarding an organization’s assets.

Approval Process

The approval process is a crucial business procedure that dictates how changes impacting security are approved and who holds the authority to make such decisions. The approval process typically follows a step-by-step verification process to ensure that all necessary precautions are considered and the planned change will not introduce new vulnerabilities.

Ownership

In the context of security, ownership refers to the individual or team that is responsible for specific assets, such as databases or applications, and that is accountable for their security. Owners are typically responsible for defining an asset’s security requirements, managing its risk profile, and addressing any vulnerabilities in the system. A crucial component of recognizing ownership is establishing accountability. Ownership ensures that each asset is consistently maintained, protected, and updated according to the security requirements of a specific system.

Stakeholders

Stakeholders are individuals or groups vested in an organization’s security posture who can directly impact security procedures and policies. Stakeholders may include system users, IT staff, management, customers, investors, or any entity that would be affected by a security breach or whose actions could impact the security posture of an organization. Involving stakeholders in security decision-making processes can lead to more comprehensive security solutions, as diverse perspectives help in identifying potential threats and vulnerabilities. Remember that stakeholders can be internal or external to specific internal business departments or external to the business.

Impact Analysis

Impact analysis is a process that involves assessing the potential effects of changes on the organization’s security landscape. You may encounter impact analysis in the form of a business impact analysis (BIA), which we will explore in depth in Chapter 24, “Understanding Elements of the Risk Management Process.” An impact analysis also helps in proactively identifying possible security risks or issues to a system. Security analysts should conduct an impact analysis to better understand how to effectively allocate resources such as staff, budget, and tools.

Test Results

A test result is an outcome of a specific test, such as a penetration test, vulnerability assessment, or simulated attack. The test results of newly implemented security measures play a crucial role in determining the effectiveness of those measures and any adjustments needed.

Test results offer insights into the strengths and weaknesses of a system’s security, informing decisions about necessary improvements or adjustments. Essentially, they serve as a report card for the organization’s cybersecurity measures. It’s crucial to note what type of test result you are reviewing and how the results were generated. A test result from a vulnerability scanner will show detailed technical insights specific to each system and will generally lack bias. A human-generated test result, such as a result in a cybersecurity risk assessment, might have subjective content and require additional context to be understood.

Backout Plan

Every change in an IT system or process needs a backout plan—a meticulously outlined procedure designed to revert any changes that negatively impact security or business operations. A backout plan is more than just a rollback strategy; it’s a critical IT service management framework component. A backout plan adheres to a predefined action list and should be created before any software or system upgrade, installation, integration, or transformation occurs. This plan typically includes detailed steps and techniques for uninstalling a new system and reversing process changes to a pre-change working state. The objective is to ensure that automated system business operations continue smoothly, especially if post-implementation testing reveals that the new system fails to meet expectations. As a best practice, you should avoid making changes during peak business hours and always have a comprehensive backout plan.

Maintenance Window

A maintenance window is a designated time frame for performing system updates or changes that is strategically chosen to minimize disruptions. We used to say, “Maintenance on a Friday is guaranteed work on a Saturday.” Choose your maintenance windows carefully to balance impacts on the business and plan for any unexpected operational impacts that result from your maintenance.

You might find that in a software as a service (SaaS) company, you need to do maintenance on the company’s virtual private network (VPN). Engineers may use the VPN for secure remote access and use it frequently throughout the day to connect to development systems, but the usage levels may drop drastically after 6:00 p.m. You would therefore want to plan your maintenance window from 7:00 p.m. to minimize outages to any critical work happening at the company.

Standard Operating Procedure

A standard operating procedure (SOP) is a step-by-step instruction set to help workers carry out complex routine operations. SOPs are crucial for maintaining consistency, enhancing security, and ensuring that all team members follow best practices in daily operations. SOPs should be vetted all the way through the senior leadership team to ensure executive support for planned activities.

Technical Implications

Technical implications refer to the potential consequences or effects of a technology-related decision or event in the cybersecurity landscape. Technical implications could involve alterations to network infrastructure, modifications to security protocols, or the need for additional server capacity following the implementation of new software or systems. It is important to ensure that you understand all technical implications of any new or existing system to ensure that you can maintain functionality and security for that system.

Allow Lists

Allow lists, or whitelists, are lists of approved inputs a user or machine can enter on a system. Using an allow list is an easy and safe way to ensure well-defined inputs such as numbers, dates, or postal codes because it allows you to clearly specify permitted values and reject everything else. With HTML5 form validation, you get predefined allow list logic in the built-in data type definitions, so if you indicate that a field contains an email address, you have ready email validation. If only a handful of values are expected, you can use regular expressions to explicitly include them on an allow list.

Using an allow list gets tricky with free-form text fields, where you need some way to allow the vast majority of available characters, potentially in many different alphabets. Unicode character categories can be useful for allowing, for example, only letters and numbers in a variety of international scripts. You should also apply normalization to ensure that all input uses the same encoding, and no invalid characters are present. An allow list needs to be continuously updated as the company works with new applications and removes old ones, and a lot of resource time is required to maintain it. We will explore allow lists in greater detail in Chapter 9, “Understanding the Purpose of Mitigation Techniques Used to Secure the Enterprise.”

Block Lists/Deny Lists

In the context of input validation, a deny list is a list of specific elements, characters, or patterns that are disallowed from being entered into a system. When approaching input validation from a security perspective, you might be tempted to implement it by simply disallowing elements that might be used in an injection attack. For example, you might try to ban apostrophes and semicolons to prevent SQL injection (SQLi), parentheses to stop malicious users from inserting a JavaScript function, or angle brackets to eliminate the risk of someone entering HTML tags. Limiting or blocking specific inputs is called block listing or deny listing, and it’s usually a bad idea because a developer can’t possibly know or anticipate all possible inputs and attack vectors. Blocklist-based validation is hard to implement and maintain and very easy for an attacker to bypass.

Let’s say you want to use deny lists despite their issues. These lists are an additional maintenance point, and you need to understand that these lists can potentially break things, and your upper layer programming should not depend on deny lists to stop attacks.

Restricted Activities

Restricted activities are specific actions or operations within a computer or network system that are limited or prohibited to maintain cybersecurity standards. These limitations are often defined through allow lists and deny lists, which, as you’ve just seen, explicitly outline what is permitted and what is not. For example, restricted activities may include accessing specific system components or downloading unapproved software.

Clearly defined restricted activities are crucial for upholding secure environments and effectively communicating IT systems’ acceptable use to internal and external stakeholders. These restrictions are commonly introduced during the employee onboarding process through key documentation like acceptable use policies (AUPs). In change management, access to critical areas like the production environment and change management software is typically restricted to authorized personnel only to ensure that only qualified individuals can make or approve changes, reducing the risk of unauthorized or harmful modifications.

Downtime

Downtime is time during which a system, network, or software application is unavailable to end users or completely offline. Downtime can be scheduled, such as during maintenance windows, as discussed earlier, or it can be unplanned, sometimes due to technical problems or even cyberattacks. Acceptable downtime might be for critical system patching or planned upgrades. A common standard of availability is 99.999%, commonly referred to as “five 9s” availability. “Two 9s” would be a system that guarantees 99% availability in a one-year period, allowing up to 1% downtime, or 3.65 days of unavailability. You might find that if you leverage third-party services, you need to ensure that their systems match, or exceed, your published service-level agreements (SLAs). You may need to implement a change if there is a misalignment between the SLA you have with your clients and what any third-party services provide to you. Unplanned downtime can disrupt business operations, negatively impact employee productivity, and potentially result in data loss. IT professionals are often focused on reducing downtime, which is crucial in cybersecurity and IT management. It’s essential to have strategies to address issues when they happen and minimize the duration and impact of unplanned downtime.

Planned downtime is needed to conduct IT maintenance activities, software installation or upgrades, and other activities requiring non-active systems. You might need to upgrade a firewall on the network, which would require turning off the current system. To prevent making the network and end users vulnerable, you would schedule downtime, typically in off-hours/non-peak time, to replace the network device.

Service Restart

In your role as an IT or security professional, one task you’ll likely encounter is a service restart, which involves halting and then reactivating a system service to implement updates, patches, or configuration changes. This process is similar to turning off a car that’s encountering a minor glitch and then restarting it.

The key aspect to note here is to understand the potential implications of a service restart, such as a momentary disruption of service. You need to ensure that potential users of the system are aware of any time impacts. You also need to thoroughly map the connections the service might have with other systems. You don’t want to restart a service connected to a critical database that could make the organization or its data vulnerable to attackers. To minimize disruption to users, it is crucial to ensure that this action occurs during a predetermined maintenance window.

Application Restart

Software application restarts are sometimes necessary procedures. An application restart is like a service restart, but it is concentrated on a specific software application. An example you’re no doubt familiar with is an app on your phone freezing and needing to be restarted to function correctly again.

Application restarts are common in IT and cybersecurity. You may often need to restart applications or systems to load patches and enforce updates. Again, communication and coordination with the stakeholders of the application are key.

Legacy Applications

In the course of your career, you will likely encounter older systems still running on a network for a variety of reasons. Handling legacy applications, which are older software programs still serving a critical function in an organization, is a typical duty you might face.

Legacy applications allow you to leverage uncommon technology, and they can be fun, especially if the original engineers are still working on the system. However, dealing with legacy applications often requires understanding older technologies and the specific nuances associated with them, which can be especially challenging if the original engineers have moved on. It is important to understand any connection the legacy application requires to function. You might find limitations in the types of operating systems the organization must maintain if the legacy application requires a certain OS to run properly.

Dependencies

When working with software components, grasping dependencies is crucial. Dependencies refer to the relationships where one software component or service relies on another to function correctly. Think of the roof on a house. The roof may be supported by large beams of wood or stone columns. If you were to remove any of the beams or columns, you would jeopardize the integrity of the roof. Understanding dependencies is critical when troubleshooting issues, managing updates, and implementing changes in the IT environment.

Services, newer applications, and legacy applications are all likely to have critical dependencies that you need to understand before you do any maintenance on them.

Documentation

An essential part of any IT or cybersecurity professional’s role is the creation and maintenance of documentation. Documentation is written material that provides information about a system or process. It might include user guides, technical specifications, or system descriptions. Documentation may also be written for specific products (for example, product documentation, user guides) or for specific processes (for example, installation instructions, uninstallation guides, patching processes). Documentation can also include policies, procedures, standards, and guidelines. Many organizations have their own security policies that cover critical security topics such as change management and change control policies, information security policies, acceptable use policies (AUPs), and business continuity planning (BCP)/disaster recovery policies (DRPs).

Good documentation ensures a clear understanding of system operations, making it easier to train new staff and troubleshoot issues. It is often a good idea to begin with documentation when trying to ascertain any dependencies software or a system may require for operations and to map any dependencies.

Updating Diagrams

In the ever-evolving landscape of your IT environment, the process of updating diagrams plays a vital role. Updating diagrams is the process of editing current diagrams of systems or networks and inserting any changes that have occurred since the diagrams were originally created. As a best practice, you should ensure strong version control and put a version control number on every diagram. Diagrams can be visualized as maps or blueprints of your network or flowcharts of a process.

Updating diagrams ensures that everyone has an accurate and current picture of the systems. This clarity can significantly enhance troubleshooting and system upgrades. A good configuration management process helps to prevent small or large changes from going undocumented. Undocumented changes can lead to poor performance, inconsistencies, or noncompliance and can negatively impact business operations and security. Poorly documented changes add to instability and downtime. Having good network diagrams and well-written and up-to-date documentation is crucial and allows you to not only troubleshoot problems but also respond quickly to security incidents.

Updating Policies/Procedures

One crucial responsibility you will shoulder is updating policies and procedures. In the cybersecurity landscape, policies are the rules governing how IT systems are used and secured, whereas procedures are the specific steps required to implement these rules. It’s worth noting that policies and procedures are directive controls and help communicate expectations to an organization. You must continuously revise policies and procedures to align with technological advancements, environmental shifts, or system modifications. Doing so ensures smooth, efficient, and secure operation of your IT infrastructure.

You should generally pay special attention to legacy applications that require unique user instructions. For instance, a legacy terminal application that is used to manage network interfaces could inadvertently expose privileged access if a policy changes but the corresponding procedures are not updated.

Version Control

Understanding and effectively implementing version control is vital in IT and cybersecurity domains and extends into areas like documentation. Version control is a system that records changes to a file or set of files over time so that you can recall specific versions later. It allows you to track modifications, pinpoint when and by whom changes were made, and, if necessary, revert to an earlier version.

For example, in modern IT environments, code is often checked into a version control repository like GitLab or GitHub. Each change is integrated and tested with the rest of the software system. Organizations that lack proper version control face challenges in tracking bug fixes and security patches. Similarly, vendors and software providers that lack appropriate version control make it difficult for consumers to correlate, triage, and patch security vulnerabilities. Proper version control is a best practice and a necessity for maintaining a secure and efficient operational environment.

Failure to maintain version control can lead to confusion and potential problems. Consider, for instance, a potential issue when a team member says, “Aren’t we on version 2.3?” only to discover that the system was updated to version 4.0 weeks ago. Effective version control not only aids in managing changes and troubleshooting issues in a collaborative environment but also plays a crucial role in communicating updates to policies and procedures throughout an organization. It’s an essential component of any well-run organization.

Review Key Topics

Review the most important topics in the chapter, noted with the Key Topic icon in the outer margin of the page. Table 3-2 lists these key topics and the page number on which each is found.

Table 3-2 Key Topics for Chapter 3

Key Topic Element

Description

Page Number

Section

Business Processes Impacting Security Operations

41

Section

Technical Implications

43

Paragraph

Allow lists

44

Paragraph

Deny list

44

Section

Documentation

47

Section

Version Control

48

Define Key Terms

Define the following key terms from this chapter and check your answers in the glossary:

business process

approval process

ownership

stakeholder

impact analysis

test result

backout plan

maintenance window

standard operating procedure (SOP)

technical implications

allow list

deny list

restricted activity

downtime

service restart

application restart

legacy application

dependency

documentation

updating diagrams

policy

procedure

version control

Review Questions

Answer the following review questions. Check your answers with the answer key in Appendix A.

1. What is the primary purpose of patch management in an organization’s security operations?

2. What is the role of business processes in security operations?

3. What is the significance of an approval process in an organization’s security posture?

4. How does ownership of assets influence security operations in an organization?

5. Define the term technical implications in the context of cybersecurity.

6. What is an allow list, and what role does it play in system security?

7. What is the downside of relying solely on a block list, or deny list, for input validation?

8. What are restricted activities in the context of cybersecurity?

9. What is the importance of documentation in IT and cybersecurity operations?

10. Why is version control essential in IT and cybersecurity domains?

© 2024 Pearson Education, Pearson IT Certification. All rights reserved.

800 East 96th Street, Indianapolis, Indiana 46240

sale-70-410-exam    | Exam-200-125-pdf    | we-sale-70-410-exam    | hot-sale-70-410-exam    | Latest-exam-700-603-Dumps    | Dumps-98-363-exams-date    | Certs-200-125-date    | Dumps-300-075-exams-date    | hot-sale-book-C8010-726-book    | Hot-Sale-200-310-Exam    | Exam-Description-200-310-dumps?    | hot-sale-book-200-125-book    | Latest-Updated-300-209-Exam    | Dumps-210-260-exams-date    | Download-200-125-Exam-PDF    | Exam-Description-300-101-dumps    | Certs-300-101-date    | Hot-Sale-300-075-Exam    | Latest-exam-200-125-Dumps    | Exam-Description-200-125-dumps    | Latest-Updated-300-075-Exam    | hot-sale-book-210-260-book    | Dumps-200-901-exams-date    | Certs-200-901-date    | Latest-exam-1Z0-062-Dumps    | Hot-Sale-1Z0-062-Exam    | Certs-CSSLP-date    | 100%-Pass-70-383-Exams    | Latest-JN0-360-real-exam-questions    | 100%-Pass-4A0-100-Real-Exam-Questions    | Dumps-300-135-exams-date    | Passed-200-105-Tech-Exams    | Latest-Updated-200-310-Exam    | Download-300-070-Exam-PDF    | Hot-Sale-JN0-360-Exam    | 100%-Pass-JN0-360-Exams    | 100%-Pass-JN0-360-Real-Exam-Questions    | Dumps-JN0-360-exams-date    | Exam-Description-1Z0-876-dumps    | Latest-exam-1Z0-876-Dumps    | Dumps-HPE0-Y53-exams-date    | 2017-Latest-HPE0-Y53-Exam    | 100%-Pass-HPE0-Y53-Real-Exam-Questions    | Pass-4A0-100-Exam    | Latest-4A0-100-Questions    | Dumps-98-365-exams-date    | 2017-Latest-98-365-Exam    | 100%-Pass-VCS-254-Exams    | 2017-Latest-VCS-273-Exam    | Dumps-200-355-exams-date    | 2017-Latest-300-320-Exam    | Pass-300-101-Exam    | 100%-Pass-300-115-Exams    |
http://www.portvapes.co.uk/    | http://www.portvapes.co.uk/    |