NNT Recommended Change Control Program

Change Control is defined as the process of understanding and monitoring the actual changes that occur with a specific focus on spotting changes that may cause harm.

Simply put, Change Management is the process required to request, review, approve and commission changes, while Change Control is the active analysis of actual changes that have occurred.

Change Management can be seriously flawed from a security standpoint without some form of Change Control. Change Management makes the assumption that the changes approved and commissioned by the Change Advisory Board – CAB are in fact those actually carried out. Combined with the routine nature within which 'Release & Deployment' occurs, typically done at the same time & same day weekly, we may have unwittingly created a 'blind spot'.

Change Control conversely seeks to examine all changes that 'actually' occur and reconcile these with what we expected along with further analysis of the changes to ensure no hidden malware or zero day infections exist.

Simply put, you need Change Control to ensure the changes that are happening aren't harmful.

At a minimum, you will need an up to date copy of NNT Change Tracker. For best results we recommend combining the NNT FAST Cloud along with the NNT Managed Change Control Program, services now offered by NNT to augment Change Tracker specifically to improve Change Control.

The F.A.S.T Cloud stands for ‘File Approved Safe Technology’. This is a solution that leverages external threat intelligence and whitelisted facilities to automatically approve the validity of File Changes as they occur. The result is a huge reduction in ‘change noise’. Read more about NNT FAST Cloud.

Within NNT Change Tracker we have adopted the simple principle of 'Planned versus Unplanned Change Detection'.

Planned changes will typically fall into one of the following three categories:

1. Changes that were planned & detailed ahead of time, but not checked after the event for authenticity: itil v2 'Forward Schedule of Changes' FSC
2. Changes that were planned ahead of time that will be checked for authenticity as the changes occur: Standard ITSM FSC combined with NNT Closed Loop Intelligent Planned Change Control System (CLICCS) - Recommended
3. Changes that were not planned ahead of time, but are approved based on previous knowledge of the changes and their adherence to the criteria for which they were previously approved: NNT Intelligent Planned Change Control System - Recommended

Within these categories you will be able to further define changes, which are unplanned yet acceptable if you are using FAST Cloud.

Unplanned Changes' fall into three prime categories:

1. Changes that were non harmful
2. Changes that were harmful
3. Changes that were potentially harmful

Given that our main objective is to enhance existing 'Change Management' process and specifically be able to spot harmful or potentially harmful changes, this guide is focused on the 'holds and moves' available to us to better spot & deal with the changes listed above.

Our goal is to see zero changes unless there is an associated 'Planned Change Record'. In order to reduce or eradicate any changes occurring that cannot be associated with a 'Forward Schedule of Changes', we encourage you to build in as much process as possible.

However, many will continue to see such changes occur outside of any planned change process, which may not be in any way harmful. Therefore stage one is designed to help you handle these changes. A key component in better handling these would be NNT FAST Cloud, but in the absence of that the following guidelines are recommended:

• Once Change Tracker is installed and set up, we will begin to see changes reported. Without any intervention, unless NNT FAST Cloud is being used, these changes will by default be reported as 'Unplanned'.
• Next, we recommend a review of the changes with any contextual information provided by NNT such as who made the change, what changed, and where and to start to think about how you would like these random and potentially esoteric changes to be treated moving forward.
• Changes that you consider to be entirely irrelevant should be excluded. Be very careful here because whilst changes may seem irrelevant to you, they may still be susceptible to attack, particularly the case where file changes are concerned. In these situations we may be better off containing these within an intelligent planned change.
• Changes that we consider normal, but likely to be repeated, should be added to an 'Intelligent Planned Change Rule' within the 'Events Screen'. We recommend an 'Auxiliary' or 'Reserved' Intelligent Planned Change Category be created to put these changes into.

As time goes by, you can add more of these changes into this category and notice that they start to reduce in numbers as your NNT software continues to be exposed to the changes that are routine, acceptable, and typical. Around 3 to 6 months, we should have observed and created a rule to handle most if not all changes that fall into this category and we can now focus on Stage 2 – Forward Planned Changes with Intelligent Change Control.

The smartest & most effective way to control changes is to link them to an approved change. NNT Change Tracker ensures that this happens independently within the software or via integration with most popular service desk and change management systems such as Service Now, Remedy, and Change Gear for example.

Having the ability to link changes to a pre-approved Change Rule and to compare actual changes with the details of that change rule is where we want you to be, but this is often times the biggest challenge for our customers. Size of task, process, and coordination of effort often means that changes continue to occur outside of any planned change approvals and the IT team is unable to prevent this from continuing.

The NNT Managed Change Control Program exists for this reason. The Change Control Program is an ongoing dedicated review of all changes conducted by a qualified NNT consultant who will be able to contain all changes within either a 'Forward Planned Change' or a 'Retrospective Planned Change' using rules & logic to ensure that the changes taking place are fundamentally not harmful. Options for handling forward planned change instances are as follows:

1. First option being a Single or Recurring Planned Change. Within NNT Change Tracker we can build a planned change window, assign this to devices or groups, and even pre-build the precise planned change profile by recording the changes made by either a patch or new software release on a pre-production system before rolling it out.
2. We recommend that a recurring planned change be created for Patch-Deployment and that Patches are pre-staged on a pre-production machine. NNT records the changes specific to that patch which can then be promoted to all production systems. Any anomalies or unexpected changes will be flagged immediately – no Patch Tuesday Blind Spot!
3. All Normal Changes outside of regular patch windows should also be planned ahead of time in this way. Some detail and the workflow for approvals can be set up within NNT Change Tracker or for a more detailed, comprehensive ITSM process, integration with a 3rd party system, we recommend using our integration kits available for systems such as Service Now, Remedy & Change Gear
4. If pre-staging changes is impossible, perhaps due to time and resource restraint, then a simple planned change window may be created, assigned to the relevant devices and a change description provided. A report will always be available for review after the planned change window has ended
5. Finally, NNT provides a comprehensive 'Planned Change Rules Editor'. This is a somewhat complex system, but can be used to include associated rules for what constitutes an acceptable planned change. This might include the username making the change whether the change included a deletion or addition or whether the change altered the size of the item in question such as a Log File for example. We recommend seeking assistance from NNT support when tackling advanced planned change rules.

From time to time and within standard ITSM guidelines, you will need to make 'Emergency Changes'. These can be fed directly into NNT Change Tracker or approved after the event. We strongly recommend that there is a published process for these and we can help build some rules into Change Tracker to approve changes based on a user group, which may help with this type of change if required.

Inevitably there will still be changes reported that fall outside of any pre-existing rule or process. The magic ingredient here will be you – was there ever any doubt about that? The means to contain and manage changes exists, but we do need some commitment from our customers to work with us to ensure unplanned changes are taken seriously.

If NNT Change Tracker is set up properly there should be few to no unplanned changes! Where unplanned changes are detected you are presented with the opportunity to become a little more secure by either taking steps to block those changes, create a rule to approve them in the future, or address the process to ensure the changes are handled differently.

If you combine this process with services such as NNT FAST Cloud and the NNT Change Control Program you will be in the enviable position of being vastly better armed to spot potentially harmful changes that may just be the difference between breach and no breach.