[16] hange Management and Configuration Management
By:
Prasanna
|
π Topic: Change Management and Configuration Management
Domain: D7 β Security Operations
Tags: #cissp
π§Ύ Definition
Change management controls how changes are proposed, approved, tested, implemented, and reviewed. Configuration management maintains an authoritative record of system components and their approved baselines.
π Key Points
- Changes should be documented, approved, and tested before deployment.
- Rollback plans reduce the impact of failed changes.
- Configuration baselines help detect unauthorized drift.
- Standard changes and emergency changes should follow defined procedures.
β οΈ CISSP Insight
- Poorly managed changes are a common source of incidents and security weaknesses.
- Governance around change is essential for maintaining integrity and reducing operational risk.
βοΈ Key Difference / Trap
- Change management vs configuration management
- Change management = process for approving and implementing change
- Configuration management = tracking and maintaining the approved state of systems
- βWorks in devβ does not mean it is safe in prod
ποΈ Example
A patch is submitted through change management, reviewed by a change advisory board, tested in a staging environment, and then deployed with rollback procedures.
π References
- ITIL 4, Change Enablement
- NIST SP 800-128, Guide for Security-Focused Configuration Management of Information Systems
- NIST SP 800-53, CM family
π Quick Recall
- Change management = controlled change
- Configuration management = approved baseline tracking