Types of IT activities that require CAB / Change Request

sunhux used Ask the Experts™
I'm listing out IT Infra changes that require CR / change control ie subject to CAB.
1. OS, network device OS patching/update/upgrade
2. Installing or configuring a software/feature
3. Adding/deleting/amending an ACL or firewall rule for Production purpose
4. Configuring DB changes : to list out ...
5. Hardenings & OS changes (permission changes etc)
6. OS/device tunings (including migrating services behind WAF, ...)
7. changing account/object privileges

However, I think the following just require an SR/email:
a. blocking of IOCs (from threat Intels)
b. unlocking accounts/password resets
c. login to check/extract information (Cisco 'show run')
d. restarting / rebooting a service or OS due to fix a problem
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
nociSoftware Engineer
Distinguished Expert 2018
I am missing policy changes for the CAB eligible issues.
If there are say 100 password reset requests a month in a 200 user population, there are other problems that need investigation & resolution.... if the resolution means users don't need to change their password every week, but once a month that would be a change to pass by the CAB.

How about an Admin password reset? Or a Password reset for some service account?  That would have a lot more impact.

restarting a server to fix a problem, then the fix should be passed through CAB?..., the reboot is a part of the fix IMHO.
if server randomly show problems that need rebooting to resolve, then there is a problem that needs to be investigated & solved... changes  to servers are CAB eligible imho.
Gerwin Jansen, EE MVETopic Advisor
Most Valuable Expert 2016

It all depends on what your CAB is responsible for. I’ve seen organizations where CAB just advises on what are upcoming changes and where the operational support organization (e.g. support desk) handles things like timing of change execution, informing end users etc. If some issue occurs where a server would need to be rebooted, the CAB would have no role at all. In case of a new system/server/application, CAB would have to approve first and the support organization would take care of taking things into service.
Exec Consultant
Distinguished Expert 2018
You should define what is the term of reference for the CAB and in specific to what constitute a change. For those exclusion, you should be asking whether there are any effect to the IT system running

e.g. The addition, modification or removal of anything that could have an effect on IT services. The scope should include changes to all architectures, processes, tools, metrics and documentation, as well as changes to IT services and other configuration items.

a. blocking of IOCs (from threat Intels) - This is going to have firewall changes so if CAB is overseeing it so who is responsible to make sure it is authorised? having to BL any addresses can impact the service delivery if done wrongly esp without oversight.

b. unlocking accounts/password resets - This is going to have access to the identity mgmt system or AD equivalent. Without proper reasoning to unlock would this lead to legit compromised account (multiple brute forced failed attempt) being released for used by attacker again.

c. login to check/extract information (Cisco 'show run') - This is going through the access of the target device. The question is who has the privilege and authorised to do the extraction. If such information is leaked, who is responsible and has there been gaps in the change process as it is being excluded.
d. restarting / rebooting a service or OS due to fix a problem - This is going to affect the service delivery depending on the dependencies on the affected servers. It is not hardening or config changes that CAB should be overseeing. The impact assessment is not made known to anyone (at least to the CAB) and afterthought is not desired.

The decision to authorize or reject a proposed Change is based on the completed Change Assessment. In particular, the assessment is about properly understanding the risks associated with the implementation of a Change. The Policy would have specifies the levels of authorization required to authorize different types of changes and whether to come under CAB is up to organisation take. If there is a central CAB, likely it is more effective to have it oversee and gate keep  rules to evaluate changes requested. See an example (pdf) of CAB TOR.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial