2.3. Change Management and Security
š” First Principle: Every change to a system introduces risk. A patch might break a dependency. A firewall rule change might open an unintended port. A server migration might expose data. Change management ensures security is evaluated before, during, and after every change ā because most outages and security incidents trace back to changes that weren't properly reviewed.
What happens without change management? A developer pushes code that disables authentication. A network admin changes a firewall rule during peak hours and takes down payment processing. A sysadmin installs an update that introduces a known vulnerability. Without a formal process, there's no impact analysis, no testing, no backout plan, and no documentation when things go wrong.
Think of it like a surgical checklist. Surgeons don't skip steps because they've performed a thousand operations ā the consequences of missing a step are too severe. Security-aware change management applies the same discipline to IT operations.
