Changes occur! Any changes to the organizational processes create a threat to the security posture. Changes may occur in the following organizational process categories: administrative; technical or physical; and regulatory. Regardless of the change category, policies may be used to prevent unauthorized changes and to help maintain the security posture through authentication, authorization, and accounting (AAA). Here are some tips to consider when implementing, tailoring, and designing policies for the change management process:
1. Implement a security policy control program
- Utilize frameworks for reference
- Use metrics for managing controls
- Maintain visible documentation across the organization
- Engage frequent communication throughout the organization
2. Tailoring the security policy program to meet changing business requirements
- Understand how tailoring (reusing) an existing plan will affect the responsibilities of current personnel
- All associated personnel should be involved
- Ensure selected controls are in line with the business needs
- Document how considerations were made for selected controls
3. Design a change management plan for a security policy program
- Have a formal change request process (changelogs)
- Review the security baseline and conduct an impact analysis
- Develop change implementation procedures
- Implement a tracking process (version numbers)
Share at least three tips and techniques for implementing a security control program, tailoring existing policy, and designing a change management strategy.
