Change Management - Component of Vulnerability Management
Change management is a critical part of a successful vulnerability management program. As vulnerabilities are found and resolved, change management should be used to track the process so that progress can be tracked and compliance can be assessed.
While change management is a complex and involved topic, the following list is meant to provide a starting point when considering the types of information that will need to be tracked in a change management system.
- Requestor Information
- Party requesting the change/Reason for change
- Change Type
- Hardware, software, configuration, patch, etc.
- Priority
- Urgent, normal, low
- Customer Impact
- High, medium, low
- Impact on Other Systems
- Other systems impacted (including extent of impact)
- System Type
- System Name
- IP address, hostname
- Group Performing Change
- Including contact information
- Change Time
- Date and time of change start and end
- Change Description
- Summary of change, change justification
- Change Details
- Description of change
- Change test results
- Verification plan
- Backout plan
- Notification of users
- Change Approval
- Approver name and contact information
- Post-Change Information
- Success, failure
- Change metrics, including duration of change
Prepared by Jason Chan , Symantec
Professional Services 
-