Configuration and Change Management: Types of IT Documentation Your Business Needs

By Dr. Jerry Craig | June 27, 2023
Jerry is Ntiva’s Sr. Director of Security and CISO, offering more than 20 years in the IT and cybersecurity industry. Certified CISO, CISSP and CCSP, Jerry also serves part-time as Adjunct Professor in the University of Maryland Global Campus.

Change and/or configuration management systems always seem to fall on the back burner while businesses are growing. After all, who has time to implement a thorough documentation process for every single change that happens in your digital environment?

This goes on for a while, knowing you'll get to it one day, when suddenly an auditor arrives in your office asking for proof! Don't wait around. Let's get into the details of change management, and beat that auditor to the punch!


This blog is an excerpt of a recent webinar.
Don't want to read the article? Watch the full recording below.

Be sure to register here for the "Cybersecurity for Business Leaders" Lunch & Learn series!



Table of Contents

What is a Change Management Program

The Pieces of a Change Management Program

Next Steps and Challenges


What is a Change Management Program?

Configuration and Change Management (CM) Programs are company-set standards for documenting and managing all modifications made in an organization's technical environment.

Every company's expectations and directions will be different depending on industry, cyber insurance requirements, and relevant cybersecurity standards.

CM Programs are comprised of a mixture of technical solutions, software, and people. Change management is typically implemented first, consisting mostly of processes and people. From there, configuration management is added, involving software for a ticketing management database.

Without Change Management and Configuration Management Programs, you truly cannot know what is occurring on your network. You need to be able to monitor events as they happen for cybersecurity purposes. Was the change expected? Did it deliver the desired result?

Add in the layer of regulatory compliance and cyber insurance, and things get even more serious. Federal contractors, like those under CMMC compliance, must have a CM program setup and documented for auditors!

Regardless of industry or necessary regulatory compliance level, CM programs can help keep your business in line with documented and measurable tasks, goals, and outcomes.


The Pieces of a Change Management Process Program

Let's take a look at all of the high level components I view as necessary to a successful CM implementation. Keep in mind, depending on the size and/or type of organization, each of these could be their own project with dedicated time, resources, etc.


Documented policies, procedures, and processes

You simply can't have a CM program without solid documentation cover all policies, procedures, and processes. Your people have to know where to go to find the details, and you can't train them or provide evidence to your auditor without it.


Documented baselines both pre- and post-changes

Without documented baselines, you'll never know if the changes or configurations you modified actually had an impact on your network. This is crucial information for version control and over system administration.


Up to date inventories (asset management)

There are a hundred ways to keep your asset inventory documentation up to date. From free options to fully integrated systems that cost thousands. The best method is up to you. However, once you have an updated inventory, you need to complete a cost benefit analysis for each item. Compare the man-hours of a cheaper alternative with a higher up-front cost of a fully automated software. See what works best for you.


Change Request (CR) forms

Everyone in the company needs to know the process for filling out a change request (CR) form. Set realistic expectations for approval and implementation as well.


Change Control Board (CCB) and Change Advisory Board (CAB)

You'll likely need to establish a Change Control Board (CCB) for project related items, and a Change Advisory Board (CAB) for service lifecycle support. Each board member will be assigned roles and responsibilities. This can be as simple as a two or three person team, maybe one from software development along with a cybersecurity specialist, that reviews all changes in your organization. Regardless of size, the bottom line is, your business needs a set group of people to review all potential changes to your network.

We frequently see changes implemented to address a vulnerability, only to have another vulnerability opened up afterwards. Things like this need to be considered when reviewing changes, and it's important to work hand in hand with your cybersecurity team throughout the process.


Documentation capturing the requested change, its impact, and input from list of approvers

For each requested change, you need to document the impact on the business for both approval and denial, along with the input from all approvers. All departments need to be considered in this process!


Documentation repository of prior agendas, meeting minutes, and requests

While this is more audit-based, having a repository of all previous agendas and requests will help every business. You need to keep these records for approved, denied, and in-process requests as a sort of continuous integration.


Software necessary to enforce baselines

This part can be expensive, but it's crucial for your business to have all the necessary software to enforce baselines and keep your infrastructure in its desired state. Most organizations seem to skip this step and rely on an "honor system" of sorts, hoping everyone is adhering to the necessary guidelines. This can (and eventually WILL) cause problems, especially when an emergency change occurs and your team is rushing to complete a project. Having the necessary quality assurance software in place ensures that you stay safe, even when mistakes are made.


Next Steps and Challenges: Is Your Business Ready to Implement a Change Management Program?

Obviously, there are multiple steps to consider before your business undertakes the effort of creating a CM program. Here are a few of the challenges you'll encounter during the process:


The Challenges

  1. Obtaining executive leadership buy-in. Always crucial to ensure support for the future!

  2. Obtaining proper funding. This can be an expensive venture.

  3. Internal resistance to change. Employees will often attempt to bypass new processes.

  4. Additional workload. After assigning roles and responsibilities, many on the team will have more work to do.


If you're prepared for the challenges, you'll need to know the immediate next steps to take:


Next Steps

  1. Determine if a CM program makes sense for your business. It's not a one-size-fits-all program.

  2. Determine if you have a requirement to implement a specific type of program. This can vary by industry or even by the types of data stored.

  3. Define the scope of the program. Who are your stakeholders, and what are your overall goals?

  4. Determine if you can handle this project yourself. If it's all too much, reach out to a trusted MSP like Ntiva to help!

  5. Begin planning a reasonable timeline and budget. Don't forget to leave yourself some room for issues that will inevitably pop up.


While it does seem like a massive undertaking, creating a Change Management Program for your business is a worthwhile, and in many cases, necessary task. If you're having trouble or feeling overwhelmed, reach out to us! Our team will be more than happy to help you build the best program possible!


New call-to-action

Tags: Cybersecurity