|
Written by Administrator
|
|
Thursday, 09 July 2009 08:54 |
|
Page 17 of 17 Configuration managementConfiguration management refers to the procedures that are used to carry out changes that affect the network, individual systems, or software: - Identifying, controlling, accounting for, and auditing changes made to the baseline trusted computing base (TCB), which includes changes to hardware, software, and firmware.
- A system that controls changes and tests documentation through the operational life cycle of a system.
Changes must be authorized, tested and recorded. The changes must not affect the security level of the system or its capability to enforce the security policy. Change control should be evaluated during system audits.
Change control sub-phases
- Request control
- Change control
- Release control
Change control steps
Necessary steps for a change control process are: - Make a formal request for a change.
- Analyze the request.
- Develop the implementation strategy.
- Calculate the costs of this implementation.
- Review any security implications.
- Record the change request.
- Submit the change request for approval.
- Develop the change.
- Recode segments of the product and add or subtract functionality.
- Link these changes in the code to the formal change control request.
- Submit software for testing and quality approval.
- Repeat until quality is adequate.
- Make version changes.
- Report results to management.
The changes to systems may require another round of certification and accreditation.
If the changes to a system are significant, then the functionality and level of protection may need to be reevaluated (certified), and management would have to approve the overall system, including the new changes (accreditation).
|
|
Last Updated on Friday, 28 August 2009 05:04 |
