Page 1413 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1413

The change management process has three basic components:

               Request Control The request control process provides an organized
               framework within which users can request modifications, managers

               can conduct cost/benefit analysis, and developers can prioritize tasks.

               Change Control The change control process is used by developers to
               re-create the situation encountered by the user and analyze the
               appropriate changes to remedy the situation. It also provides an
               organized framework within which multiple developers can create and
               test a solution prior to rolling it out into a production environment.
               Change control includes conforming to quality control restrictions,

               developing tools for update or change deployment, properly
               documenting any coded changes, and restricting the effects of new
               code to minimize diminishment of security.

               Release Control Once the changes are finalized, they must be
               approved for release through the release control procedure. An
               essential step of the release control process is to double-check and

               ensure that any code inserted as a programming aid during the change
               process (such as debugging code and/or back doors) is removed before
               releasing the new software to production. Release control should also
               include acceptance testing to ensure that any alterations to end-user
               work tasks are understood and functional.

               In addition to the change management process, security
               administrators should be aware of the importance of configuration

               management. This process is used to control the version(s) of software
               used throughout an organization and formally track and control
               changes to the software configuration. It has four main components:

               Configuration Identification During the configuration
               identification process, administrators document the configuration of
               covered software products throughout the organization.

               Configuration Control The configuration control process ensures

               that changes to software versions are made in accordance with the
               change control and configuration management policies. Updates can
               be made only from authorized distributions in accordance with those
               policies.
   1408   1409   1410   1411   1412   1413   1414   1415   1416   1417   1418