Types of IT activities that require CAB / Change Request

I'm listing out IT Infra changes that require CR / change control ie subject to CAB.
1. OS, network device OS patching/update/upgrade
2. Installing or configuring a software/feature
3. Adding/deleting/amending an ACL or firewall rule for Production purpose
4. Configuring DB changes : to list out ...
5. Hardenings & OS changes (permission changes etc)
6. OS/device tunings (including migrating services behind WAF, ...)
7. changing account/object privileges

However, I think the following just require an SR/email:
a. blocking of IOCs (from threat Intels)
b. unlocking accounts/password resets
c. login to check/extract information (Cisco 'show run')
d. restarting / rebooting a service or OS due to fix a problem
sunhuxAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nociSoftware EngineerCommented:
I am missing policy changes for the CAB eligible issues.
If there are say 100 password reset requests a month in a 200 user population, there are other problems that need investigation & resolution.... if the resolution means users don't need to change their password every week, but once a month that would be a change to pass by the CAB.

How about an Admin password reset? Or a Password reset for some service account?  That would have a lot more impact.

restarting a server to fix a problem, then the fix should be passed through CAB?..., the reboot is a part of the fix IMHO.
if server randomly show problems that need rebooting to resolve, then there is a problem that needs to be investigated & solved... changes  to servers are CAB eligible imho.
Gerwin Jansen, EE MVETopic Advisor Commented:
It all depends on what your CAB is responsible for. I’ve seen organizations where CAB just advises on what are upcoming changes and where the operational support organization (e.g. support desk) handles things like timing of change execution, informing end users etc. If some issue occurs where a server would need to be rebooted, the CAB would have no role at all. In case of a new system/server/application, CAB would have to approve first and the support organization would take care of taking things into service.
btanExec ConsultantCommented:
You should define what is the term of reference for the CAB and in specific to what constitute a change. For those exclusion, you should be asking whether there are any effect to the IT system running

e.g. The addition, modification or removal of anything that could have an effect on IT services. The scope should include changes to all architectures, processes, tools, metrics and documentation, as well as changes to IT services and other configuration items.

a. blocking of IOCs (from threat Intels) - This is going to have firewall changes so if CAB is overseeing it so who is responsible to make sure it is authorised? having to BL any addresses can impact the service delivery if done wrongly esp without oversight.

b. unlocking accounts/password resets - This is going to have access to the identity mgmt system or AD equivalent. Without proper reasoning to unlock would this lead to legit compromised account (multiple brute forced failed attempt) being released for used by attacker again.

c. login to check/extract information (Cisco 'show run') - This is going through the access of the target device. The question is who has the privilege and authorised to do the extraction. If such information is leaked, who is responsible and has there been gaps in the change process as it is being excluded.
 
d. restarting / rebooting a service or OS due to fix a problem - This is going to affect the service delivery depending on the dependencies on the affected servers. It is not hardening or config changes that CAB should be overseeing. The impact assessment is not made known to anyone (at least to the CAB) and afterthought is not desired.

The decision to authorize or reject a proposed Change is based on the completed Change Assessment. In particular, the assessment is about properly understanding the risks associated with the implementation of a Change. The Policy would have specifies the levels of authorization required to authorize different types of changes and whether to come under CAB is up to organisation take. If there is a central CAB, likely it is more effective to have it oversee and gate keep  rules to evaluate changes requested. See an example (pdf) of CAB TOR.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ITIL

From novice to tech pro — start learning today.