A change control procedure is a crucial part of any security strategy. Without one, organisations can lapse into bad habits, make frequent ad-hoc changes, become vulnerable to human error and ultimately run the risk of a security failure. In this article, Simon Heron provides practical advice on how to establish (or improve) your change control procedure to provide effective protection for your organisation. If an organisation has no change control procedure (or a procedure that is inadequately enforced), it is at risk. It’s as simple as that. Anyone can make changes to the primary security defence with potentially disastrous results and there is little protection against human error. A procedure should be in place, so that if and when a vulnerability is discovered, whoever makes the discovery knows exactly what needs to be done and when. Equally, if a change subsequently needs to be reversed, it should be possible to find out who did what and when they did it. Change control in this context is the formal process of controlling changes made to a system, network or application. It ensures that any changes introduced are done so in a co-ordinated, planned and thought-out way. If changes to a system are not controlled formally, or are not properly thought-through, they will often end up leading to security problems, or even reverse previously made system changes. Implementing proper change processes should result in minimal disruption and faster implementation time. Businesses that rely on one person to make changes to their networks wrongly assume that the individual will not make a mistake. In fact they probably already have made them, and placed the organisation at risk. Having a change control solution in place reduces the risk of undetected human error. In an ideal world, the team in charge of change control is separate from the team implementing the change (this is a good way of ‘catching’ any changes that might cause network problems; it also make collusion much more difficult). Alternatively, this could entail using a managed service company that would incorporate some of the change control function, or, if this is not possible, it could be as simple as being a formal process you go through with a colleague not involved in the change. An effective change control process should include the following basic steps:
Limit who is authorised to make changes to a system. Ensure that this policy is not broken, and that all requests for change go through an authorised administrator. Put in place limited user rights, so the system cannot be tampered with by unauthorised people. In larger companies, this could be done by using a ticketing system, which places a formal ‘request’ for the change, documenting it, and only allowing authorised (via password) team members to deal with the request. Involve at least two people if possible – often two people will come up with a more effective change plan than someone working in isolation.
Agree a set of change criteria: why do you need the change? What is the impact of it on the business? And what is the impact of implementing it? Often changes are made for no real business benefit, but with a great deal of disruption. For example, in the past, we discovered that an IT manager was dropping his company firewall late at night, so he could play games with friends over the Internet. Clearly not a business critical change! This can be a lot more serious where one person is making changes as it might be for personal gain.
Document a set of criteria that must be met for any changes to be made, taking into account impact on the business, network downtime, cost and business need. This does not have to be long or involved; just brief sentences where relevant.
Assess the risk of making the change. This can be done through a formal risk assessment procedure (for larger companies), or by simply answering a set of questions that consider the impact of the change on other parts of the network or application, for example. Will the change have knock-on effects? Has it been tested? Include anyone who will be affected to ensure nothing is forgotten.
Record the change details as part of the formal change process. This is extremely important both in terms of identifying when and how the change was made, and also in case it needs to be reversed at a later date.
Test the impact of the change on security. Often, we find that vulnerabilities in network security are caused not by malicious attacks, but by poorly-executed changes to the system that, for example, bypass security measures unintentionally.
Plan the change. Inform teams if there is likely to be any impact on productivity, or network availability.
Build and test the change – in a closed environment, if possible – to make sure the implementation has been done correctly.
Have a plan B. If the change doesn’t work, or causes an unforeseen glitch, or has some other unexpected results, ensure it can be reversed, quickly (see point 4) to its previous, safe configuration, while a review is done. In an uncontrolled environment it’s not unusual for so many changes to have been made together that it becomes impossible to undo an error – which can be extremely costly to put right.
Implement the change. Timescales should have been agreed with all those involved (see point 6), and users briefed / trained as necessary on using the new system.
Review its success. Has the change been worth it? Has it had a positive impact on the business? Are individuals within the business using it in the correct way? It is important to review user implementation regularly and get feedback from them; this should influence future changes.
While formal processes can seem unnecessary or bureaucratic (particularly to smaller companies), they can, if used correctly, save both time and money by preventing an avoidable attack or security breach.
Cookie Notice
We use cookies to analyse site traffic and optimise your browsing experience. Accepting necessary cookies is required to provide you with a minimum level of service.
This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Cookie
Duration
Description
__cf_bm
1 hour
This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
_ok
session
The cookie is set by Olark live chat software and is used to store most recent Olark site for security purposes.
_okdetect
session
This cookie is set by Olark live chat software. The cookie is used for detecting when storage contexts have changed due to things like ssl or host transitions.
_oklv
session
The cookie is set by Olark live chat software. According to Olark documentation, the cookie is the Olark Loader version used for improved caching.
cookielawinfo-checkbox-advertisement
1 year
Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional
11 months
The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent
1 year
CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
hblid
1 year 1 month 4 days
The cookie is set by Olark live chat software and is used as a visitor identifier to remember a visitor between visits.
viewed_cookie_policy
11 months
The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Cookie
Duration
Description
lang
session
LinkedIn sets this cookie to remember a user's language setting.
li_gc
6 months
Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
lidc
1 day
LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory
1 month
LinkedIn sets this cookie for LinkedIn Ads ID syncing.
yt-player-headers-readable
never
The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available
session
The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed
session
The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices
never
YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id
never
YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period
session
The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app
session
The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name
session
The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY
never
The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Cookie
Duration
Description
_okbk
session
The cookie is set by Olark live chat software and is used to store extra state information of the chat box.
olfsk
1 year 1 month 4 days
This cookie is set by Olark live chat software. This cookies is a storage identifier used to maintain chat state across pages.
SRM_B
1 year 24 days
Used by Microsoft Advertising as a unique ID for visitors.
wcsid
session
This cookie is set by Olark live chat software. The cookie is a session identifier that is used to keep track of a single at session.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Cookie
Duration
Description
_ce.gtld
session
Crazyegg sets this cookie to identify the top-level domain.
_clck
1 year
Microsoft Clarity sets this cookie to retain the browser's Clarity User ID and settings exclusive to that website. This guarantees that actions taken during subsequent visits to the same website will be linked to the same user ID.
_clsk
1 day
Microsoft Clarity sets this cookie to store and consolidate a user's pageviews into a single session recording.
_ga
1 year 1 month 4 days
Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*
1 year 1 month 4 days
Google Analytics sets this cookie to store and count page views.
_gat_UA-*
1 minute
Google Analytics sets this cookie for user behaviour tracking.
_gid
1 day
Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.
AnalyticsSyncHistory
1 month
Linkedin set this cookie to store information about the time a sync took place with the lms_analytics cookie.
cebs
session
Crazyegg sets this cookie to trace the current user session internally.
CLID
1 year
Microsoft Clarity set this cookie to store information about how visitors interact with the website. The cookie helps to provide an analysis report. The data collection includes the number of visitors, where they visit the website, and the pages visited.
MR
7 days
This cookie, set by Bing, is used to collect user information for analytics purposes.
SM
session
Microsoft Clarity cookie set this cookie for synchronizing the MUID across Microsoft domains.
vuid
1 year 1 month 4 days
Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos on the website.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Cookie
Duration
Description
ANONCHK
10 minutes
The ANONCHK cookie, set by Bing, is used to store a user's session ID and verify ads' clicks on the Bing search engine. The cookie helps in reporting and personalization as well.
bcookie
1 year
LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser IDs.
bscookie
1 year
LinkedIn sets this cookie to store performed actions on the website.
li_sugr
3 months
LinkedIn sets this cookie to collect user behaviour data to optimise the website and make advertisements on the website more relevant.
MUID
1 year 24 days
Bing sets this cookie to recognise unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations.
NID
6 months
Google sets the cookie for advertising purposes; to limit the number of times the user sees an ad, to unwanted mute ads, and to measure the effectiveness of ads.
test_cookie
15 minutes
doubleclick.net sets this cookie to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE
6 months
YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA
6 months
YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC
session
Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId
never
YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests
never
YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
