A configuration control board (CCB) -- also known as a configuration management board -- is a group that should play an essential role in an organisation's overall network strategy. Typically chaired by the CIO, these boards usually include voting representatives from every department in the company.
The overall goal of a CCB is to make decisions that increase the operational efficiency and usefulness of the network's ability to support the business process of the company. Security is an integral part to the CCB process, and members should take every opportunity to address security concerns during every phase of configuration management.
The configuration control method focuses on enforcing current operational policies and developing operational guidelines. A CCB should concentrate on two main duties: controlling the baseline, and evaluating and approving proposed changes.
Controlling the baseline
Every network begins with a baseline -- a list of hardware and software deployed on the network. The baseline also details connectivity necessary to support the business process of the network.
The baseline should be as detailed as possible. It should include workstation and server configurations, firewall rules, router access control lists, switch configurations, software licenses, support level agreements, and any other documentation that the company would need in order to re-create its network in the event of a disaster.
Your organisation's security measures must validate and certify the baseline against the overall network and security policy. If your baseline operating environment invalidates the security policy, you need to update the policy to include the current operational characteristics of the network.
Evaluating and approving proposed changes
Each security update, hot fix, and software upgrade and service pack changes the operational characteristics of your network. It's important to make evaluating these constant changes a vital responsibility for specified members of the CCB.
Security administrators should evaluate whether the baseline is vulnerable to the condition that generated the service pack or security update. They must also determine whether an upgrade will change the operational behaviour of the networked devices and potentially violate the overall network and security policy. Only after the board approves the change should it allow system administration to begin testing.
Proposed changes must also include the development or purchase of new software or hardware. It's essential to include security personnel as early as possible during the functional design and analysis to determine whether implementation of the proposed change will invalidate the current network security policy.
Final thoughts
Some organisations make the mistake of using their CCB process to modify current security policies for the sake of 'feature creep' in new versions of software. Companies should review implementations that violate existing policies at the policy level and take steps to balance them against business requirements.
By making security an essential part of your company's change process, you can help ensure that departments won't make financial decisions that violate existing policy and waste money purchasing equipment or software that you can't safely implement on the network.
