Page 1160 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1160
Many of the configuration and change management
concepts in use today are derived from ITIL (formally an acronym
for Information Technology Infrastructure Library) documents
originally published by the United Kingdom. The ITIL Core
includes five publications addressing the overall lifecycle of
systems. ITIL focuses on best practices that an organization can
adopt to increase overall availability. The Service Transition
publication addresses configuration management and change
management processes. Even though many of the concepts come
from ITIL, organizations don’t need to adopt ITIL to implement
change and configuration management.
Security Impact Analysis
A change management process ensures that personnel can perform a
security impact analysis. Experts evaluate changes to identify any
security impacts before personnel deploy the changes in a production
environment.
Change management controls provide a process to control, document,
track, and audit all system changes. This includes changes to any
aspect of a system, including hardware and software configuration.
Organizations implement change management processes through the
lifecycle of any system.
Common tasks within a change management process are as follows:
1. Request the change. Once personnel identify desired changes,
they request the change. Some organizations use internal websites,
allowing personnel to submit change requests via a web page. The
website automatically logs the request in a database, which allows
personnel to track the changes. It also allows anyone to see the
status of a change request.
2. Review the change. Experts within the organization review the
change. Personnel reviewing a change are typically from several
different areas within the organization. In some cases, they may
quickly complete the review and approve or reject the change. In
