Implementing/Re-Implementing Change Control Policies

All network environments change over time, whether the change is planned or unplanned. Change Control Policies help to minimize the inadvertent creation of security openings when implementing planned, unplanned, or recovery changes to a company's network environment. All companies have some form of production environment. Depending on the type of organization, there might also be staging and development environments as well. Change control is essential in all environments. A change in a staging or development environment that creates a design flaw will typically be replicated to the production environment. Lack of change control policies for all environments can cause flawed configuration changes or code enhancements in the production environment. Another danger to production environments is disaster recovery situations. If changes made to a production environment are not properly documented, as per a change control policy, systems that have been recovered might be put into production without having been properly hardened. Without proper change control procedures in place, systems could be placed back into production after planned maintenance has been performed, without having been properly secured. All implementations can be broken down into four steps/phases: Analysis, Design, Implementation, and Follow-up.