Last week, our team had the pleasure of hosting a virtual panel on securing digital transformation and what COVID-19 means for cyber security as we continue to navigate the increasingly remote workforce.
Amid the COVID-19 pandemic, remote working has added a new dimension to the security, compliance, and digital transformation demand landscape. During the session, our group of panelists emphasized the importance of embedding security solutions and processes in order to reduce complexity and massively increase the automation of killer manual tasks.
Senior leaders to provide insight on the topic included the following: David Cass, VP of Cyber & IT Risk, Federal Reserve Bank of New York; Mahbubul Islam, CISO, HM Courts & Tribunals Service; Mudassar Ulhaq, CIO, Waverton Investment Management; and Angus Macrae, Head of Cybersecurity, King’s College London.
My expertise and passion lie heavily in empowering change control for effective security. During the panel, I had the opportunity to dive into details around how organizations can gain visibility across their networks and data centers in order detect unauthorized changes. While our team was already highly virtualized, we have seen a major push from organizations to open up connectivity to their networks at a rapid pace. With this comes an increased attack surface that organizations need to pay close attention to as they are one slip away from opening up their data to the rest of the world.
Change control is key. From our experience, organizations need to automate configuration while using VPNs and Firewalls for remote working. This way, teams are provided with an audit trail of what was changed, what the implications are, and how to fix it.
Change Control vs. Change Management
The panel also dives into both change management and change control. These two terms are often confused so its helpful to provide some clear defintions. Change Control is defined as the process of understanding and monitoring the actual changes that occur with a specific focus on spotting changes that may cause harm. Conversely, Change Management is the process required to request, review, approve and commission changes, while Change Control is the active analysis of actual changes that have occurred.
Change Management can be seriously flawed from a security standpoint without some form of Change Control. Change Management’s ‘dirty little secret’ is that, despite the comfort blanket of documentation and approvals, you never know what’s really going on. You have no idea what was actually changed, either during the Change Window or at any other time.
Change Control seeks to examine all changes and reconcile these with what we expected, along with further analysis of the changes to ensure no hidden malware or zero-day infections exist. Simply put, you need Change Control to ensure the changes that are happening aren't harmful.
By implementing NNT’s Change Control Program, organizations will have the rules and processes in place to capture changes that are either:
- Planned & detailed ahead of time, but not checked after the event for authenticity
- Planned ahead of time that will be checked for authenticity as the changes occur
- Not planned ahead of time, but are approved based on previous knowledge of the changes and their adherence to the criteria for which they were previously approved
Share this post