The change management process has three basic components:

Request Control：The request control process provides an organized framework within which users can request modifications, managers can conduct cost/benefit analysis, and developers can prioritize tasks.?

Change Control：The change control process is used by developers to re-create the situation encountered by the user and to analyze the appropriate changes to remedy the situation. It also provides an organized framework within which multiple developers can create and test a solution prior to rolling it out into a production environment. Change control includes conforming to quality control restrictions, developing tools for update or change deployment, properly documenting any coded changes, and restricting the effects of new code to minimize diminishment of security.

Release Control：Once the changes are finalized, they must be approved for release through the release control procedure. An essential step of the release control process is to double-check and ensure that any code inserted as a programming aid during the change process (such as debugging code and/or backdoors) is removed before releasing the new software to production. This process also ensures that only approved changes are made to production systems. Release control should also include acceptance testing to ensure that any alterations to end-user work tasks are understood and functional.

變更管理過程有三個(gè)基本組成部分。

1、請求控制：請求控制過程提供了一個(gè)有組織的框架，在這個(gè)框架內(nèi)，用戶可以請求修改，管理人員可以進(jìn)行成本/效益分析，開發(fā)人員可以對任務(wù)進(jìn)行優(yōu)先排序。

2、變更控制：變更控制過程被開發(fā)人員用來重新創(chuàng)建用戶所遇到的情況，并分析適當(dāng)?shù)淖兏鼇硌a(bǔ)救這種情況。它還提供了一個(gè)有組織的框架，在這個(gè)框架內(nèi)，多個(gè)開發(fā)人員可以在推出生產(chǎn)環(huán)境之前創(chuàng)建和測試一個(gè)解決方案。變更控制包括符合質(zhì)量控制的限制，開發(fā)更新或變更部署的工具，正確記錄任何編碼變更，并限制新代碼的影響，以盡量減少安全的削弱。

3、發(fā)布控制：一旦變化被確定下來，它們必須通過發(fā)布控制程序被批準(zhǔn)發(fā)布。發(fā)布控制程序的一個(gè)重要步驟是，在將新軟件發(fā)布到生產(chǎn)中之前，要仔細(xì)檢查并確保在修改過程中作為編程輔助工具插入的任何代碼（如調(diào)試代碼和/或后門）被刪除。這個(gè)過程也確保了只有經(jīng)過批準(zhǔn)的更改才會在生產(chǎn)系統(tǒng)中進(jìn)行。發(fā)布控制還應(yīng)該包括驗(yàn)收測試，以確保對終端用戶工作任務(wù)的任何改動都能被理解并發(fā)揮其功能。

In addition to the change management process, security administrators should be aware of the importance of software configuration management (SCM). This process is used to control the version(s) of software used throughout an organization and to formally track and control changes to the software configuration. It has four main components:

除了變更管理過程之外，安全管理員應(yīng)該意識到軟件配置管理（SCM）的重要性。這個(gè)過程用于控制整個(gè)組織使用的軟件版本，并正式跟蹤和控制對軟件配置的更改。它有四個(gè)主要組成部分。

Configuration Identification：During the configuration identification process, administrators document the configuration of covered software products throughout the organization.

配置識別：在配置識別過程中，管理員要記錄整個(gè)組織中涵蓋的軟件產(chǎn)品的配置。

Configuration Control ：The configuration control process ensures that changes to software versions are made in accordance with the change control and configuration management policies. Updates can be made only from authorized distributions in accordance with those policies.

配置控制：配置控制過程確保軟件版本的變化符合變更控制和配置管理政策。根據(jù)這些政策，只能從授權(quán)的發(fā)行中進(jìn)行更新。

Configuration Status Accounting：Formalized procedures are used to keep track of all authorized changes that take place.

配置狀態(tài)核算：使用正式的程序來跟蹤所有發(fā)生的授權(quán)變更。

Configuration Audit ：A periodic configuration audit should be conducted to ensure that the actual production environment is consistent with the accounting records and that no unauthorized configuration changes have taken place.

配置審計(jì)：應(yīng)定期進(jìn)行配置審計(jì)，以確保實(shí)際生產(chǎn)環(huán)境與核算記錄一致，并確保沒有發(fā)生未經(jīng)授權(quán)的配置變更。

Together, change and configuration management techniques form an important part of the software engineer’s arsenal and protect the organization from development-related security issues.

變更和配置管理技術(shù)共同構(gòu)成了軟件工程師武器庫的重要組成部分，并保護(hù)組織免受與開發(fā)相關(guān)的安全問題。