S 2.221 Change management

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrators, technical managers

The complexity of the IT systems found today means that even small changes in existing systems can result in security problems, e.g. through unexpected system behaviour or system failures.

In connection with IT security it is a task of change management to identify new security requirements resulting from changes in IT systems. If any significant hardware or software changes are planned to an IT system, then the implications for the security of the system as a whole must be examined. Changes to an IT system must not result in any reduction in the efficiency of individual security measures and hence in compromising of the overall security.

There should therefore be guidelines for implementing changes to IT components, software or configuration data (see S 4.78 Careful modifications of configurations). All changes to IT components, software or configuration data should be planned, tested, approved and documented. Care must be taken to ensure that appropriate steps are taken in response to all security-relevant changes. For example,

• changes to IT systems (new applications, new hardware, new network connections, modifications to the software used, installation of security patches, hardware upgrades etc.)

• changes in tasks or the importance of tasks for the institution,

• changes in the user structure (new users, external or anonymous users, user groups)

• changes to the physical premises, e.g. after a relocation

Before any changes are approved and carried out, checking and testing of the planned actions must ensure that the security level will be maintained both during and after the changes. If any risks, especially as regards availability, cannot be excluded, then a fallback solution must be planned and criteria assigned as to when this should be implemented.

All changes and the associated reasoning behind decisions must be documented. This applies both in the operational environment and also in a test environment.

With regard to change management, the authorisation concept for carrying out changes is an important point:

• Only those who are allowed to carry out the changes should have access authorisation to the relevant system areas.

• There should be mechanisms in place which ensure that all essential changes are co-ordinated in advance.

Note: when implementing changes it should be remembered that changes to an IT system or its conditions of use can make it necessary

• to make changes in the implementation of the IT security plan,

• create a new IT security concept or even

• revise the organisation-wide IT security policy.

IT Security Management should therefore be involved when any big changes are to be made.

Additional controls:

• Are there any guidelines for implementing changes to IT components, software or configuration data?

• Are all changes tested and documented?

• Is IT Security Management involved when major changes are to be made?