Change Management is really risk management.
Change management is viewed as a set of rigid standards and processes, but really change management should be an enabler of change and not an obstacle. The point of change management is to ensure that any type of change is done in a manner that minimizes risk to the organization. Some standards mandate this:
Payment Card Industry Digital Security Standard: PCI Requirement 6.4 states, “Follow change control processes and procedures for all changes to system components.” Your organization should have the appropriate methods to control any changes in to and out of your environment. PCI Requirement 6.4 requires that your organization’s Change Control Program includes a documented roll-back plan, a testing phase, management’s approval, and updated documentation. The PCI DSS warns, “Without properly documented and implemented change controls, security features could be inadvertently or deliberately omitted or rendered inoperable, processing irregularities could occur, or malicious code could be introduced.”
Service Organization Control 2: CC8.1 “The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.”
National Institute of Standards and Technology 800-53: CM-3 CONFIGURATION CHANGE CONTROL The organization determines the types of changes to the information system that are configuration-controlled; reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses…..
Just to list a few, it’s safe to say that any information security standard has some form of change control within.
What constitutes a change?
According to ITIL, a change is “the addition, modification or removal of any authorized, planned, or supported service or service component that could have an effect on IT services.”
Types of Changes:
Each of these changes incur a different amount of risk. With the recent work from home rush caused by COVID-19. many companies performed emergency changes. Even though these emergencies require a rapid response, they still should follow a change management strategy.
An example of a good emergency change management strategy would be that someone in senior management approved the change, the change was documented in case it needed to be rolled back, and after the change some sort of testing occurred to ensure the change was made securely.
Let’s say that because of stay at home mandates, IT opened up port 3389 on the firewall so people could remote to a server and work from home. First a decision should be made by a senior leadership, so say senior leadership says to IT “how do we let users work from home?” IT replies ‘we can open port 3389 on a server and people can connect using RDP built into their systems”. The approval should be documented, then the IT opens the port. That should be documented in a ticket, created firewall rule 23 SRC ANY – DST (Server Address) – SVC 3389 – allow, created NAT rule External IP port 3389 to Internal IP port 3389.
Next testing of the rule, IT uses an external computer and connects to the port success, are we done? No, we should then scan our external IP to ensure that there are no known vulnerabilities on the server and if there are patch them promptly.
Of course, this opens up risk to the organization so we should put a time limit on this change, lets say after 2 weeks, we will review further and determine if there is a better long-term solution.
This is a basic example of how change control should work in an emergency. Other considerations besides “does the change work to solve the problem” are the increased risk to data exposure, and whether the change meets any compliance requirements for protected data types. If you process payment cards or health information, you cannot simply disregard the security measures needed to protect that data to allow for remote access.
For free advice on how work from home changes might have changed your risk or compliance state, email our consultants at “[email protected]”.