Most organizations will employ more than one network administrator. This can pose a serious problem if policies and procedures are not clearly outlined when it comes to making changes to the existing network. Let’s say for example, that one network administrator spends countless hours securing the existing infrastructure. One of the other network administrators proceeds to make a change, such as adding a new server to the network or making a change to a security setting, without notifying any of the other administrators. Essentially what this does is create vulnerability in the security of the existing infrastructure. This is where change and configuration management come into play.

Communication is the key to any good relationship. The main idea behind change and configuration management is also communication. Anytime there is a change to be made, whether it is the addition of another server or a configuration change on a domain controller, the necessary parties should first be notified. In other words, before any changes are made, the proper channels must first be followed.

Now there are a number of different ways in which an organization can implement change and configuration control. Each company more than likely has established their own way of handling changes. One of the most common ways is to require anyone who has the ability to make changes to the existing infrastructure to first compile a change request form. The information in the change request form may include any of the following information:

• Name of the individual requesting the change
• Description of the proposed change
• The system and/or components that the change applies to
• When the change will occur and how long it will take
• Any foreseen problems that may arise from implementing the change
• Rollback plan
• Benefits/reasons for implementing the change

Once an administrator, or other user, fills out the required information within a change request form, it is submitted to the necessary parties who will determine whether the change request will be approved. In terms of security, this allows for a review process before a change is implemented to determine any security vulnerabilities that may arise from it.