變更管理 (Change Control Management)

Makes a change to source code, it should be done on the test version of the code.Under no conditions should a programmer change the code that is already in production, The changes to the code should be made and tested, and then the new code should go to the librarian. Production code should come only from the librarian and not from a programmer or directly from a test environment.

Change control processes should be evaluated during system audits. It is possible to overlook a problem that a change has caused in testing, so the procedures for how change control is implemented and enforced should be examined during a system audit.

The following are some necessary steps for a change control process:

1.  Make a formal request for a change. (提出正式的變更需求單)

2.  Analyze the request (需求分析)

    a.  Develop the implementation strategy, (因應變更需求的策略)

    b.  Calculate the costs of this implementation. (因變更會產生的成本估算)

    c.  Review security implications. (考量安全性)

3.  Record the change request (變更相關的紀錄)

4.  Submit the change request for approval. (須經主管審核通過)                    

5.  Develop the change.  (進行變更作業)                                               

    a.  Recode segments of the product and add or subtract functionality.
        (系統程式碼編譯...等作業)

    b.  Link these changes in the code to the formal change control request.
        (變更需求單據應與變更 作業應相依)

    c.  Submit software for testing and quality control.
        (變更作業完成後須測試確保品質)

    d.  Repeat until quality is adequate (重複作業直到符合所有規定)

    e.  Make version changes, (進行版本更新作業)

6.   Report results to management.
      (變更作業完成後回報主管與權責單位；變更需求單結案)

The changes to systems may require another round of certification and accreditation.If the changes to a system are significant, then the functionality and level of protection may need to be reevaluated (certified), and management would have to approve the overall system, including the new changes (accreditation).

內文引自 CISSP Change Control Management