Presentation is loading. Please wait.

Presentation is loading. Please wait.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Published byJasmine Carson Modified over 8 years ago

Similar presentations

Presentation on theme: "Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,"— Presentation transcript:

1 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Change Management Chapter 21

2 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Objectives Use change management as an important enterprise management tool. Institute the key concept of separation of duties. Identify the essential elements of change management. Implement change management. Use the concepts of the Capability Maturity Model Integration.

3 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Key Terms Baseline Capability Maturity Model Integration (CMMI) Change management Change control board (CCB) Computer software configuration items Configuration auditing Configuration control Configuration identification

4 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Key Terms (continued) Configuration items Configuration management Configuration status accounting Separation of duties System problem report (SPR)

5 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Why Change Management? Should be used in all phases of a system’s life: –Development, testing, quality assurance (QA), and production. Manage system development and maintenance processes effectively: –Introducing discipline and structure that helps to conserve resources and enhance effectiveness. Change management is an essential part of creating a viable governance and control structure and critical to compliance with the Sarbanes-Oxley Act.

6 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Change Management Scenarios The following scenarios exemplify the need for appropriate change management policy and for procedures over software, hardware, and data: –The developers can’t find the latest version of the production source code. –A bug corrected a few months ago mysteriously reappears. –Fielded software was working fine yesterday but does not work properly today. –Development team members overwrote each other’s changes. –A programmer spent several hours changing the wrong version of the software.

7 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition The Key Concept: Separation of Duties A foundation for change management is the recognition that involving more than one individual in a process can reduce risk. Good business control practices require that duties be assigned to individuals in such a way that no one individual can control all phases of a process or the processing and recording of a transaction. Also referred to as segregation of duties.

8 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Some of the best practices for ensuring proper separation of duties in an IT organization are as follows: –Separation of duties among departments should be documented in written procedures and implemented by software or manual processes. –Developer and program testing should be conducted with “test” data only, safeguarding production data. –End users should not have access to source code. –All access should be based on principle of least privilege. –Change management policies and procedures should be enforced throughout the enterprise. The Key Concept: Separation of Duties (continued)

9 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Elements of Change Management Commonly referred to as configuration management, which includes four general phases: –Configuration identification –Configuration control –Configuration status accounting –Configuration auditing

10 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Configuration Identification The process of identifying which assets need to be managed and controlled. Assets could be software modules, test cases or scripts, table or parameter values, servers, major subsystems, or entire systems. Identified assets are called: –Configuration items –Or computer software configuration items Configuration identification results in a baseline.

11 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Configuration Control The process of controlling changes to items that have been baselined. Ensures that only approved changes to a baseline are allowed to be implemented. Also ensures proper use of assets and avoids unnecessary downtime due to the installation of unapproved changes.

12 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Configuration Status Accounting Consists of the procedures for tracking and maintaining data relative to each configuration item in the baseline. Closely related to configuration control. Involves gathering and maintaining information relative to each configuration item.

13 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Configuration Auditing The process of verifying that the configuration items are built and maintained according to the requirements, standards, or contractual agreements. Ensures that policies and procedures are being followed, that all configuration items (including hardware and software) are being properly maintained, and that existing documentation accurately reflects the status of the systems in operation.

14 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Implementing Change Management The change management function is scalable from small to enterprise-level projects. It can be adapted to small organizations by having the developer perform work only on her workstation (never on the production system) and having the system administrator serve in the buildmaster function. The buildmaster is usually an independent person responsible for compiling and incorporating changed software into an executable image.

15 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Software Change Control Workflow

16 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Change Management Workflow The change management workflow proceeds as follows: –1. The developer checks out source code from the code-control tool archive to the development system. –2. The developer modifies the code and conducts unit testing of the changed modules. –3. The developer checks the modified code into the code-control tool archive. –4. The developer notifies the buildmaster that changes are ready for a new build and testing/QA. –5. The buildmaster creates a build incorporating the modified code and compiles the code.

17 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition –6. The buildmaster notifies the system administrator that the executable image is ready for testing/QA. –7. The system administrator moves the executables to the test/QA system. –8. QA tests the new executables. If tests are passed, test/QA notifies the manager. If tests fail, the process starts over. –9. Upon manager approval, the system administrator moves the executable to the production system. (Some of the steps may be omitted for minor changes) Change Management Workflow (continued)

18 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition The Purpose of a Change Control Board (CCB) Oversee the change management process Facilitate better coordination between projects

19 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition

20 © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition The Change Management Process

21 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Code Integrity One benefit of adequate change management is the assurance of code consistency and integrity. Whenever a modified program is moved to the production source-code library, the executable version should also be moved to the production system. Automated change management systems greatly simplify this process and are better controls for ensuring executable and source-code integrity.

22 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition The Capability Maturity Model Integration (CMMI) Developed at Carnegie Mellon University’s Software Engineering Institute (SEI). The CMMI replaces the older Capability Maturity Model (CMM). The SEI’s web page defines six capability levels: –Level 0: Initial –Level 1: Performed –Level 2: Managed –Level 3: Defined –Level 4: Quantitatively Managed –Level 5: Optimizing

23 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Chapter Summary Use change management as an important enterprise management tool. Institute the key concept of separation of duties. Identify the essential elements of change management. Implement change management. Use the concepts of the Capability Maturity Model Integration.

Download ppt "Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,"

Similar presentations

Configuration management

Configuration management
Software change management

Software change management
Configuration management

Configuration management
Configuration Management

Configuration Management
Software Quality Assurance Plan

Software Quality Assurance Plan
Page 1 October 31, 2000 An Introduction to Large-Scale Software Development Steve Varnau Core HP-UX Operation October 31, 2000.

Page 1 October 31, 2000 An Introduction to Large-Scale Software Development Steve Varnau Core HP-UX Operation October 31, 2000.
Configuration Management

Configuration Management
Control and Accounting Information Systems

Control and Accounting Information Systems
Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.

Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.
More CMM Part Two : Details.

More CMM Part Two : Details.
CPIS 357 Software Quality & Testing I.Rehab Bahaaddin Ashary Faculty of Computing and Information Technology Information Systems Department Fall 2010.

CPIS 357 Software Quality & Testing I.Rehab Bahaaddin Ashary Faculty of Computing and Information Technology Information Systems Department Fall 2010.
Configuration Management Managing Change. Points to Ponder Which is more important?  stability  progress Why is change potentially dangerous?

Configuration Management Managing Change. Points to Ponder Which is more important?  stability  progress Why is change potentially dangerous?
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Software Configuration Management

Software Configuration Management
Configuration management. Reasons for software configuration management  it facilitates the ability to communicate  status of documents, coding, changes.

Configuration management. Reasons for software configuration management  it facilitates the ability to communicate  status of documents, coding, changes.
Software Configuration Management (SCM)

Software Configuration Management (SCM)
Configuration Management

Configuration Management
Introduction to Systems Analysis and Design

Introduction to Systems Analysis and Design
Software Configuration Management

Software Configuration Management
Software Configuration Management (SCM)

Software Configuration Management (SCM)

Similar presentations

Ads by Google