Page 1161 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1161

other cases, the change may require approval at a formal change
                    review board after extensive testing.

                3.  Approve/reject the change. Based on the review, these experts

                    then approve or reject the change. They also record the response in
                    the change management documentation. For example, if the
                    organization uses an internal website, someone will document the
                    results in the website’s database. In some cases, the change review
                    board might require the creation of a rollback or back-out plan.

                    This ensures that personnel can return the system to its original
                    condition if the change results in a failure.

                4.  Test the change. Once the change is approved, it should be
                    tested, preferably on a nonproduction server. Testing helps verify
                    that the change doesn’t cause an unanticipated problem.

                5.  Schedule and implement the change. The change is
                    scheduled so that it can be implemented with the least impact on
                    the system and the system’s customer. This may require scheduling

                    the change during off-duty or nonpeak hours.

                6.  Document the change. The last step is the documentation of the
                    change to ensure that all interested parties are aware of it. This
                    often requires a change in the configuration management
                    documentation. If an unrelated disaster requires administrators to
                    rebuild the system, the change management documentation
                    provides them with the information on the change. This ensures

                    that they can return the system to the state it was in before the
                    change.

               There may be instances when an emergency change is required. For
               example, if an attack or malware infection takes one or more systems
               down, an administrator may need to make changes to a system or
               network to contain the incident. In this situation, the administrator
               still needs to document the changes. This ensures that the change

               review board can review the change for potential problems.
               Additionally, documenting the emergency change ensures that the
               affected system will include the new configuration if it needs to be
               rebuilt.
   1156   1157   1158   1159   1160   1161   1162   1163   1164   1165   1166