This is the first of three postings I will share pertaining to change management.
The importance of change management for the stable operation of data support systems cannot be denied. Data center operations literature, such as ITIL guidelines, have change management looming large as part of any solution. One of the metrics I have heard is that 80% of system outages can be attributed to a change event.
As a hosting services company, GSI takes change to any environment very seriously. Controlling that change can, literally, affect our bottom line. Even so, change management is one of the "behind-the-scenes" services and processes that is rarely advertised directly or attributed with value. A system outage will bring attention to a lack of change management, but never is change management mentioned when it prevents outages. Much like a utility provider being discussed when a home's power is on, but let the power go out and the first discussion is about the provider.
Since becoming Director of Security and Compliance at GSI, I have become familiar with GSI's role in securing our client's data. I realize that change management and the well-designed implementation of it, are a critical piece of my security software suite. Of course, the PCI DSS includes a requirement (6.4) for change management, but it could be more emphasized and has missed the true security value.
How important is implementation?
I will take a few lines here to briefly discuss GSI's implementation of our change management methods. The implementation, in many ways, is as important as the use of the result.
Who
Any operational staff or client can generate a change request. It is very important that accessibility to the change management system be open. Restricting it to special access would prevent its usage which defeats the purpose of its existence. Power to approve changes is purposefully kept to a small number of management staff, but submitting a change is open.
When
Everyday. A selected team at GSI reviews change requests every day. An hour of every day is set aside by operations managers and me to review change requests for approval. It can be tedious given that any client or operational staff member can submit requests, but the value of discussing, understanding and debating changes is well worth it. Scheduling the review for every day allows us to granularly adjust the amount of impact in data systems due to change. It also supports security efforts.
What
All hosts. The structure and restrictions for controlling change are applied to data systems with regards to their criticality. The change management support systems and procedures are built to accommodate that need. This flexibility allows GSI to apply levels of change management even when tolerance for the control is very low. Compliant systems are held to strict standards of control, and the procedure provides that capability, as well.
Obviously there is more to the entire system than described here, but you should get the notion that implementation must be robust.
Next week, I'll share another article where I talk about the role of change management in dealing with security event volume.
Further Reading
Change Management: Event Volume - Part 2 of 3
Change Management: Identifying Unauthorized Changes - Part 3 of 3