What is change management? And what is the main difference between change management and configuration management?
Change management is an organized process used to change hardware, software, systems, and enables organizations to properly configure various computing components as per baseline security. And it includes change approval, testing, scheduling and rollback arrangements throughout the entire the process of applying changes. Change management is a preventive control that involves comprehensive planning, testing, logging, auditing and monitoring of activities related to security controls and business processes. And it deals with changes that range from minor modifications to existing systems or applications to adding or retiring entire information systems (IS). Besides, it is concerned with keeping the organization functioning effectively and moving from one secure to another secure state. Furthermore, changes to systems or processes in an organization are most likely to introduce new security vulnerabilities and thus it is imperative for the organization to identify and address each new risk caused due to the change.
Change management is an IT discipline that focuses on ensuring that organizations employ standardized processes and procedures to apply changes to the systems and services. The main objective of the change management process in an organization is to support the processing and traceability of changes to all systems and applications. Furthermore, it ensures that any modification to or updating of systems or applications are carried out in a controlled manger as per the change management plan. Besides, it allows IT changes to be made in a structured, formal and secure manner while minimizing negative consequences to entities. And it further ensures that only authorized changes are applied and modifications made to the system do not introduce new security exposures. Additionally, it helps to reduce unanticipated outages caused by unauthorized changes in the organization.
Major steps of change management process include the following;
- Request the change
- Review/Evaluate the requested change
- Analysis and approve/reject the change
- Change development and scheduling
- Change implementation
- Testing the change
- Document the change
Configuration management is a key aspect of information security management to maintain information systems in a known and secure state throughout its lifetime. Change management on the other hand is a critical process that allows changes to be requested, reviewed, implemented and tested without compromising the secure states of information and information systems.