变更管理过程(The change management process )
The change management process has three basic components:
Request Control:The request control process provides an organized framework within which users can request modifications, managers can conduct cost/benefit analysis, and developers can prioritize tasks.
Change Control:The change control process is used by developers to re-create the situation encountered by the user and to analyze the appropriate changes to remedy the situation. It also provides an organized framework within which multiple developers can create and test a solution prior to rolling it out into a production environment. Change control includes conforming to quality control restrictions, developing tools for update or change deployment, properly documenting any coded changes, and restricting the effects of new code to minimize diminishment of security.
Release Control:Once the changes are finalized, they must be approved for release through the release control procedure. An essential step of the release control process is to double-check and ensure that any code inserted as a programming aid during the change process (such as debugging code and/or backdoors) is removed before releasing the new software to production. This process also ensures that only approved changes are made to production systems. Release control should also include acceptance testing to ensure that any alterations to end-user work tasks are understood and functional.
变更管理过程有三个基本组成部分。
1、请求控制:请求控制过程提供了一个有组织的框架,在这个框架内,用户可以请求修改,管理人员可以进行成本/效益分析,开发人员可以对任务进行优先排序。
2、变更控制:变更控制过程被开发人员用来重新创建用户所遇到的情况,并分析适当的变更来补救这种情况。它还提供了一个有组织的框架,在这个框架内,多个开发人员可以在推出生产环境之前创建和测试一个解决方案。变更控制包括符合质量控制的限制,开发更新或变更部署的工具,正确记录任何编码变更,并限制新代码的影响,以尽量减少安全的削弱。
3、发布控制:一旦变化被确定下来,它们必须通过发布控制程序被批准发布。发布控制程序的一个重要步骤是,在将新软件发布到生产中之前,要仔细检查并确保在修改过程中作为编程辅助工具插入的任何代码(如调试代码和/或后门)被删除。这个过程也确保了只有经过批准的更改才会在生产系统中进行。发布控制还应该包括验收测试,以确保对终端用户工作任务的任何改动都能被理解并发挥其功能。
In addition to the change management process, security administrators should be aware of the importance of software configuration management (SCM). This process is used to control the version(s) of software used throughout an organization and to formally track and control changes to the software configuration. It has four main components:
除了变更管理过程之外,安全管理员应该意识到软件配置管理(SCM)的重要性。这个过程用于控制整个组织使用的软件版本,并正式跟踪和控制对软件配置的更改。它有四个主要组成部分。
Configuration Identification:During the configuration identification process, administrators document the configuration of covered software products throughout the organization.
配置识别:在配置识别过程中,管理员要记录整个组织中涵盖的软件产品的配置。
Configuration Control :The configuration control process ensures that changes to software versions are made in accordance with the change control and configuration management policies. Updates can be made only from authorized distributions in accordance with those policies.
配置控制:配置控制过程确保软件版本的变化符合变更控制和配置管理政策。根据这些政策,只能从授权的发行中进行更新。
Configuration Status Accounting:Formalized procedures are used to keep track of all authorized changes that take place.
配置状态核算:使用正式的程序来跟踪所有发生的授权变更。
Configuration Audit :A periodic configuration audit should be conducted to ensure that the actual production environment is consistent with the accounting records and that no unauthorized configuration changes have taken place.
配置审计:应定期进行配置审计,以确保实际生产环境与核算记录一致,并确保没有发生未经授权的配置变更。
Together, change and configuration management techniques form an important part of the software engineer’s arsenal and protect the organization from development-related security issues.
变更和配置管理技术共同构成了软件工程师武器库的重要组成部分,并保护组织免受与开发相关的安全问题。
