Change Management Processes

During my previous role as a Network Performance Optimization (NPO) engineer, in my first month on the job, I received a serious warning from my line manager during one of our training sessions. He emphasized the importance of getting official approval before implementing any optimizations or changes to keep the network running smoothly. Understanding the potential impact of changes, especially in the Radio Network Controller (RNC), where an optimization could inadvertently cause regional degradation and job losses. I learned that our client's primary Key Performance Indicator (KPI) was 100% availability, although optimization is to achieve this goal, getting change approval is most important, which required thorough justification and readiness for any potential side effects by my team. Achieving optimal network performance was a notable accomplishment that NPO engineers, like my friend Rex, celebrated passionately when ranked among the top performers. However, adherence to the rule of obtaining change approval before implementation is a major factor used in deciding the ranks.

In this post, we will look into the concept of change management, explore its impact on business processes related to security operations, discuss the technical implications of changes, and examine the essential elements of effective documentation.

Grab your favorite drink; you're going to enjoy this!

What is Change Management?

Change management is the formal process to make changes to systems, processes, goals and technologies. It ensures that these changes are implemented successfully while minimizing disruption to business operations.
Examples of changes that businesses may implement are application patches, software upgrades, Firewall Configuration Updates and Vulnerability Remediation

Business Processes Impacting Security Operation

Business processes have a great impact on security operations, determining how controls are managed in an organization. Let us go over some business processes impacting security operations:

Approval Process: security changes are evaluated and authorized by key stakeholders (Change Advisory/Control Board) before execution, hence promoting uniformity and adherence to organizational standards.

Ownership: The change owner is the individual who needs to make a change. The owner controls the change process and tests the system to ensure that the change is executed effectively and has no negative impact on the organization.

Stakeholders: individuals or groups with an interest in the proposed change, as they will be affected by its implementation and play a role in its evaluation and execution.

Impact analysis: often referred to as Business Impact Analysis(BIA) helps mitigate risks and focus on recovery efforts by evaluating the potential impact of proposed change.

Test results: entail conducting test both before and after implementing changes to confirm the desired outcomes and identify areas needing further adjustments. A sandbox test, conducted in an isolated environment, is a common pre-production test that does not impact live systems.

Backout plan: strategy for rolling back to original configurations to limit the impact of failed security changes, thereby minimizing disruptions to business operations.

Maintenance window: scheduled time to implement security changes without notably impacting operations. This is decided after understanding business busy/peak hours.

Standard Operating Procedure(SOP): documented step-by-step procedures for implementing a change in order to promote consistency and efficiency in security operations.

Technical Implications of Changes

These are possible implications that changes to systems, software, or configurations may have on an business operations.

Allow lists/deny lists: are list that dictate which applications are permitted or blocked from operating in your organization. When applying changes, review these lists to ensure that only the right applications are allowed, as they are ones that can be assessed.

Restricted activities: only implement changes outlined within the change control document's scope. In instances where adjustments are necessary, a documented change control process should be in place to ensure clarity and avoid confusion among all stakeholders.

Downtime: Applying changes might cause service disruptions which could lower productivity and perhaps cost the business financially. You can minimize downtime events by having secondary system in place to provide availability for the period of change implementation. You can also send out notices to those who may be impacted should there by a downtime.

Service restart: some changes may require service restarts and have the potential to disrupt services, resulting in backlogs or data loss.

Application restart: just like service restart, applications may also need to be restarted in response to changes thereby interfering with accessibility or performance

Legacy applications: Legacy applications are older software still in use due to their critical importance to the organization, despite the availability of newer alternatives, yet they lack support and are less flexible, making them more sensitive to change, where even minor alterations can lead to system crashes.

Dependencies: Before implementing changes, it is essential to map dependencies as interconnected systems create dependencies in which changes in a single domain impact others, requiring careful evaluation to ensure that all dependencies are addressed, avoiding disruptions or compatibility issues in systems or software.

Documentation

Change documentation is the practice of documenting any changes in any area of an organization's operations. It entails recording the reasons for the change, the precise adjustments made, the people or groups in charge of putting it into practice, and any related effects or considerations. Let's go over the elements of proper documentation

Updating diagrams: Regularly examining and modifying diagrams (network diagrams, system architecture diagrams, and process flowcharts) to accurately reflect the current state of systems, configurations, and interdependencies. This helps stakeholders in better decision-making, troubleshooting, and planning.

Updating policies/procedures: Organizational policies, processes, and documentation standards should be constantly reviewed, updated, and documented to ensure that they meet changing business needs, standards and industry best practices.

Version control

Version control is a system for tracking and managing changes to files, documents, software code, and other digital assets. It enables multiple users to work together on projects by providing means for tracking changes, reverting to prior versions, and managing continuous edits.

It keep track of modifications, allowing users to determine who made what changes, when, and why. This improves teamwork by assuring consistency, reducing conflicts, and promoting collaboration in software development and other collaborative environments, which are foundational to the principles of DevOps.

END!!!