Learning to Deal with Change and the Unknowns: Page 2
Some people confuse change and configuration management. They are, in fact, two different topics.
While change management is concerned about controlling changes made to systems, configuration management, on the other hand, is concerned with controlling the various builds that are in use.
Each unique software and hardware build -- meaning the sum of software, hardware and configuration components -- is a configuration item (CI), as are all of the components. They are tracked in the Configuration Management Database (CMDB).
Why does this matter to security?
Again, it is about tracking changes. Presumably, all builds in the CMDB are known good builds. Any deviation detected in the production system from the known build should be investigated. If it does not tie out to an authorized work order, then there has been a control failure. Either an internal party or an external party has made unauthorized changes.
Also, should there be a security breach or even a disaster, the actions necessary to recover the systems will rely on having accurate CI data to minimize downtime and expedite recovery.
Good change and configuration management processes are absolutely necessary to manage risks and enhance security. They also are process areas that will benefit operations, as well. Improvements in these areas can benefit IT operations, IT security and the business stakeholders.