8.3. Configuration and Change Management
💡 First Principle: Systems do not stay secure — they drift. From the moment a server enters production with a hardened baseline, entropy works against it: patches are missed, services are enabled for troubleshooting and never disabled, firewall rules are added and never removed, and temporary credentials become permanent. Configuration management detects this drift; change management governs the authorized modifications. Together they maintain the gap between "how the system should be configured" and "how it actually is" at a manageable size.
The operational dimension of configuration and change management — the focus of Domain 7 — is about execution and enforcement. Domain 3 covered the architectural principles; here we address how organizations maintain baselines, manage patches, and govern changes day-to-day.
Why this matters: Exam questions about configuration management test whether you understand the relationship between baselines, drift detection, change authorization, and emergency change processes. The scenario where a critical patch must bypass normal change management is a frequent exam pattern.
⚠️ Common Misconception: "IDS and IPS are the same technology, just with different names." IDS detects and alerts; IPS detects and blocks. This distinction has operational implications: a false positive on an IDS generates an unnecessary alert; a false positive on an IPS blocks legitimate traffic. IPS placement must account for the risk of false-positive disruption — which is why many organizations deploy IDS broadly and IPS at critical choke points.
