S 2.221 Change management

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator, Specialists Responsible, Change Manager

Due to the complexity of modern IT systems, even small changes to a system during operation can lead to security problems, for example due to unexpected system responses or system failures.

In terms of information security, it is the task of change management to identify new security requirements resulting from the changes made to IT systems. If major hardware or software changes are planned for an IT system, then the effects of the changes on the security of the overall system must be examined. Changes to an IT system must not result in a reduction of the efficiency of individual security safeguards and therefore pose a threat to the overall security.

For this reason, there should be guidelines for making changes to IT components, software, or configuration data (see S 4.78 Careful modifications of configurations). All changes to IT components, software, or configuration data should be planned, tested, approved, and documented. Care must be taken to ensure that all security-related changes trigger an appropriate reaction. Such changes include, for example:

Before changes are approved and implemented, the actions planned must be examined and tested to ensure the current security level is maintained during and after the change. If it is impossible to rule out some risks, especially risks to the availability of the system, then the planning phase must also include the planning of a fallback solution and the specification of criteria for deciding when the fallback solution should be used.

All changes and the corresponding reasons for making the changes must be documented. This applies to the operational environment as well as to any test environments.

One important aspect of change management is the authorisation concept for making changes:

Note: When making changes, it should always be taken into account that changes to an IT system or its operating conditions can make the following changes necessary:

Information security management should be involved if the changes are major changes.

Review questions: