Page 1159 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1159

will begin having problems. Soon, the help desk is flooded with
               requests to fix the web server and people begin troubleshooting it.

               They ask the web server programmers for help and after some
               troubleshooting the developers realize that the database server isn’t
               answering queries. They then call in the database administrators to
               troubleshoot the database server. After a bunch of hooting, hollering,
               blame storming, and finger pointing, someone realizes that a needed
               port on Firewall 2 is closed. They open the port and resolve the
               problem. At least until this well-meaning firewall administrator closes

               it again, or starts tinkering with Firewall 1.



                          Organizations constantly seek the best balance between


                  security and usability, and there are instances when an
                  organization makes conscious decisions to improve performance or
                  usability of a system by weakening security. However, change
                  management helps ensure that an organization takes the time to
                  evaluate the risk of weakening security and compare it to the
                  benefits of increased usability.



               Unauthorized changes directly affect the A in the CIA Triad–
               availability. However, change management processes give various IT

               experts an opportunity to review proposed changes for unintended
               side effects before technicians implement the changes. And they give
               administrators time to check their work in controlled circumstances
               before implementing changes in production environments.

               Additionally, some changes can weaken or reduce security. For
               example, if an organization isn’t using an effective access control
               model to grant access to users, administrators may not be able to keep

               up with the requests for additional access. Frustrated administrators
               may decide to add a group of users to an administrators group within
               the network. Users will now have all the access they need, improving
               their ability to use the network, and they will no longer bother the
               administrators with access requests. However, granting administrator
               access in this way directly violates the principle of least privilege and
               significantly weakens security.
   1154   1155   1156   1157   1158   1159   1160   1161   1162   1163   1164