CRR Supplemental Resource Guide Volume 3 Configuration and Change Management Version 1.1 Copyright 2016 Carnegie Mellon University This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center sponsored by the United States Department of Defense. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of Department of Homeland Security or the United States Department of Defense. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. [Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution. CERT® and OCTAVE® are registered marks of Carnegie Mellon University. DM-0003277 Distribution Statement A: Approved for Public Release; Distribution is Unlimited Table of Contents I. Introduction ............................................................................................................................................................... 1 Series Welcome ......................................................................................................................................................... 1 Audience .................................................................................................................................................................... 3 II. Configuration and Change Management ............................................................................................................... 4 Overview .................................................................................................................................................................... 4 Configuration and Change Management Terms ........................................................................................................ 5 Configuration and Change Management Process ..................................................................................................... 5 III. Create a Configuration and Change Management Plan ....................................................................................... 8 Before You Begin ....................................................................................................................................................... 8 Step 1. Obtain support for configuration and change management planning. ........................................................... 9 Step 2. Budget for configuration and change management. ...................................................................................... 9 Step 3. Define roles and responsibilities. ................................................................................................................... 9 Step 4. Gather existing policies, procedures, and documentation related to configuration and change management. ........................................................................................................................................................... 10 Step 5. Identify and prioritize critical organizational services that will require change and configuration management. ........................................................................................................................................................... 10 Step 6. Validate critical services with stakeholders and establish a configuration change review board. ................ 11 Step 7. Develop a change request process. ............................................................................................................ 11 Step 8. Determine how changes will be communicated to the organization. ........................................................... 12 Step 9. Develop a configuration and change management training plan. ................................................................ 12 Step 10. Identify tools for use in implementing and monitoring configurations. ........................................................ 12 Step 11. Plan for capacity management. ................................................................................................................. 13 Output of Section III ................................................................................................................................................. 14 IV. Identify Configuration Items ................................................................................................................................ 15 Before You Begin ..................................................................................................................................................... 15 Step 1. Map critical organizational services to stakeholders and related services. .................................................. 15 Step 2. Identify assets related to the critical services. ............................................................................................. 16 Step 3. Identify the configuration items of the assets that will undergo change and require change and configuration management. ..................................................................................................................................... 16 Step 4. Determine a configuration baseline for each configuration item. ................................................................. 17 Output of Section IV ................................................................................................................................................. 17 V. Implement and Control Configuration Changes ................................................................................................. 18 Before You Begin ..................................................................................................................................................... 18 Step 1. Evaluate change requests and approvals. ................................................................................................... 19 Step 2. Model configuration changes in a test environment. .................................................................................... 20 Step 3. Deploy changes in the production environment. .......................................................................................... 21 Step 4. Determine the success or failure of changes. .............................................................................................. 22 Step 5. Roll back unsuccessful changes. ................................................................................................................. 23 Step 6. Close out completed changes. .................................................................................................................... 23 Distribution Statement A: Approved for Public Release; Distribution is Unlimited Step 7. Change configuration baselines. ................................................................................................................. 25 Output of Section V .................................................................................................................................................. 26 VI. Monitor Configuration Changes .......................................................................................................................... 27 Before You Begin ..................................................................................................................................................... 27 Step 1. Identify systems or components not specified in documentation. ................................................................ 27 Step 2. Identify disparities between authorized, approved baselines and actual, implemented baselines. .............. 28 Step 3. Monitor system logs for unauthorized changes. .......................................................................................... 28 Step 4. Collect existing audits and configuration control records. ............................................................................ 28 Step 5. Define remediation action. ........................................................................................................................... 29 Step 6. Execute monitoring plan. ............................................................................................................................. 29 Output of Section VI ................................................................................................................................................. 30 VII. Conclusion ........................................................................................................................................................... 31 Appendix A. Example Change Request Template ................................................................................................... 32 Appendix B. Example Change Impact