by Lori Kleckner
This month we look at section 10 of the NENA Security for Next Generation 9-1-1 (NG-SEC) document for direction regarding change control and documentation.
Changes to the NG9-1-1 environment can cause rippling effects throughout the network and to any other connected resources. What may appear to be an innocuous change to an application could cause connecting applications and the network to stop functioning. A change which has not been documented may be unknown to others. This causes troubleshooting to be much more difficult. Without effective change control an organization may not ever truly know what exists in their environment or how their systems are configured. The lack of change control also makes upgrading more complicated.
During assessments L.R. Kimball typically finds that change control processes are either incomplete or non-existent. By our accounts only about 15% of the sites assessed utilize an adequate change control process.
NG-SEC requires a formal change control process to be in place which includes a team of subject matter experts to review and approve proposed changes to architecture, design and functionality, prior to implementation. Basic change control includes:
- Change request
- Description, justification, impact
- Change review
- Possible conflicts and risks, complete information, approval
- Implementation timeline
- Step – by – step process with dates
- Pre-change testing
- Test environment which mimics production environment, test all steps in the process, update change request if needed
- Back out procedure (in case of failure)
- Process required to return to the pre-cutover state
- Post change testing
- List of systems or processes to test, assuring the production environment is functioning as expected
- Document and retain
All documents generated during the change process including lessons learned to aid future changes
Without a change control process in place, who knows what is going on with the network? What applications are installed, have patches been applied, what the firewall is filtering. It can be a confusing mess. You may end up purchasing a product and find out you already have one installed, but you do not know that because information was not shared, changes were made in pockets and not everybody was informed.
Our next NG-SEC blog will cover compliance audits and reviews; always a fun topic. Actually, if you do not have a change control process in place, an audit could be a good way to find out what is on your network.