What is Change Control?
Change Control is not the same as Change Management.
While Change Management focuses on the justification and planning of any changes, Change Control majors on the verification and approval of actual changes made.
Throughout the 20 CIS Controls it’s a security best practice that is constantly referenced.
Control of configuration settings, of services and open ports, as well as installed software, goes to maintain a minimized Attack Surface, eliminating vulnerabilities that could be exploited by attackers.
Similarly control of user accounts, privileges and access is a fundamental security best practice for reducing attacker opportunity.
Change control is exactly that - controlling change.
Without Change Control you won’t know if changes you wanted were correctly implemented. And from a security standpoint, you have no way of distinguishing between legitimate IT activity, and a stealthy cyber-attack. This is why, according to the Verizon Data Breach Investigation Report, 68% of breaches take months to discover.
So for Change Control to be truly effective as a breach detection control, it must provide complete visibility of all changes, at a forensic level. An edit to a config file? A modified registry value or file attribute? If you are serious about security, all of these changes need to be exposed, analyzed and approved or corrected.