A configuration control board (CCB)–also known
as a configuration management board–is a group that should play an
essential role in an organization’s overall network strategy.
Typically chaired by the CIO, these boards usually include voting
representatives from every department in the company.

The overall goal of a CCB is to make decisions
that increase the operational efficiency and usefulness of the
network’s ability to support the business process of the company.
Security is an integral part to the CCB process, and members should
take every opportunity to address security concerns during every
phase of configuration management.

The configuration control method focuses on
enforcing current operational policies and developing operational
guidelines. A CCB should concentrate on two main duties:
Controlling the baseline, and evaluating and approving proposed
changes. Let’s take a closer look at each responsibility.

Controlling the baseline

Every network begins with a baseline–a list of
hardware and software deployed on the network. The baseline also
details connectivity necessary to support the business process of
the network.

The baseline should be as detailed as possible.
It should include workstation and server configurations, firewall
rules, router access control lists, switch configurations, software
licenses, support level agreements, and any other documentation
that the company would need in order to re-create its network in
the event of a disaster.

Your organization’s security measures must
validate and certify the baseline against the overall network and
security policy. If your baseline operating environment invalidates
the security policy, you need to update the policy to include the
current operational characteristics of the network.

Evaluating and approving proposed changes

Each security update, hot fix, and software
upgrade and service pack changes the operational characteristics of
your network. It’s important to make evaluating these constant
changes a vital responsibility for specified members of the
CCB.

Security administrators should evaluate whether
the baseline is vulnerable to the condition that generated the
service pack or security update. They must also determine whether
an upgrade will change the operational behavior of the networked
devices and potentially violate the overall network and security
policy. Only after the board approves the change should it allow
system administration to begin testing.

Proposed changes must also include the
development or purchase of new software or hardware. It’s essential
to include security personnel as early as possible during the
functional design and analysis to determine whether implementation
of the proposed change will invalidate the current network security
policy.

Final thoughts

Some organizations make the mistake of using
their CCB process to modify current security policies for the sake
of “feature creep” in new versions of software. Companies should
review implementations that violate existing policies at the policy
level and take steps to balance them against business
requirements.

By making security an essential part of your
company’s change process, you can help ensure that departments
won’t make financial decisions that violate existing policy and
waste money purchasing equipment or software that you can’t safely
implement on the network.

Worried about security issues? Who isn’t? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.