S 2.221 Change management

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator, Specialists Responsible, Change Manager

Due to the complexity of modern IT systems, even small changes to a system during operation can lead to security problems, for example due to unexpected system responses or system failures.

In terms of information security, it is the task of change management to identify new security requirements resulting from the changes made to IT systems. If major hardware or software changes are planned for an IT system, then the effects of the changes on the security of the overall system must be examined. Changes to an IT system must not result in a reduction of the efficiency of individual security safeguards and therefore pose a threat to the overall security.

For this reason, there should be guidelines for making changes to IT components, software, or configuration data (see S 4.78 Careful modifications of configurations). All changes to IT components, software, or configuration data should be planned, tested, approved, and documented. Care must be taken to ensure that all security-related changes trigger an appropriate reaction. Such changes include, for example:

• changes to IT systems (new applications, new hardware, new network connections, modifications to the software used, installation of security patches, hardware upgrades, etc.),
• changes to the tasks assigned or to the importance of the task to the organisation,
• changes to the user structure (new users, external or anonymous users, user groups),
• changes in location, for example when moving office.

Before changes are approved and implemented, the actions planned must be examined and tested to ensure the current security level is maintained during and after the change. If it is impossible to rule out some risks, especially risks to the availability of the system, then the planning phase must also include the planning of a fallback solution and the specification of criteria for deciding when the fallback solution should be used.

All changes and the corresponding reasons for making the changes must be documented. This applies to the operational environment as well as to any test environments.

One important aspect of change management is the authorisation concept for making changes:

• Only those persons allowed to make changes should have authorisation to access those areas of the system in which the changes will be made.
• There should be mechanisms available to ensure that all of the most important changes are co-ordinated in advance.

Note: When making changes, it should always be taken into account that changes to an IT system or its operating conditions can make the following changes necessary:

• changes in the implementation of individual security safeguards,
• the creation of a new security concept, or even
• revision of the organisation-wide policy for information security.

Information security management should be involved if the changes are major changes.

Review questions:

• Are there guidelines for making changes to IT components, software, and configuration data?
• Are there rules specifying that security aspects must be taken into account when making changes?
• Are all changes planned, tested, approved, and documented?
• Are fallback solutions developed before changes are made?
• Is information security management involved whenever major changes are made?