changes to a system do not result in diminished security. Configurationchange management controls provide a process by which all system changes are tracked, audited, controlled, iden- tified, and approved. It requires that all system changes undergo a rigorous testing procedure before being deployed onto the production environment. It also requires documentation of any changes to user work tasks and the training of any affected users. Configurationchange man- agement controls should minimize the effect on security from any alteration to the system. They often provide a means to roll back a change if it is found to cause a negative or unwanted effect on the system or on security. There are five steps or phases involved in configurationchange management control: 1. Applying to introduce a change 2. Cataloging the intended change 3. Scheduling the change 4. Implementing the change 5. Reporting the change to the appropriate parties When a configurationchange management control solution is enforced, it creates complete documentation of all changes to a system. This provides a trail of information if the change needs to be removed. It also provides a roadmap or procedure to follow if the same change is imple- mented on other systems. When a change is properly documented, that documentation can assist administrators in minimizing the negative effects of the change throughout the environment. Configurationchange management control is a mandatory element of the TCSEC ratings of B2, B3, and A1 but it is recommended for all other TCSEC rating levels. Ultimately, change management improves the security of an environment by protecting implemented security from unintentional, tangential, or effected diminishments. Those in charge of change management should oversee alterations to every aspect of a system, including hardware configuration and system and application software. It should be included in design, development, testing, evalu- ation, implementation, distribution, evolution, growth, ongoing operation, and application of modifications. Change management requires a detailed inventory of every component and con- figuration. It also requires the collection and maintenance of complete documentation for every system component including hardware and software and for everything from configuration settings to security features. Standards of Due Care and Due Diligence Due care is using reasonable care to protect the interests of an organization. Due diligence is practicing the activities that maintain the due care effort. For example, due care is developing a formalized security structure containing a security policy, standards, baselines, guidelines, and procedures. Due diligence is the continued application of this security structure onto the IT infrastructure of an organization. Operational security is the ongoing maintenance of continued due care and due diligence by all responsible parties within an organization. In today’s business environment, showing prudent due care and due diligence is the only way to disprove negligence in an occurrence of loss. Senior management must show reasonable due care and due diligence to reduce their culpability and liability when a loss occurs. Senior man- agement could be responsible for monetary damages up to 290 million for nonperformance of due diligence in accordance with the U.S. Federal Sentencing Guidelines of 1991. Privacy and Protection Privacy is the protection of personal information from disclosure to any unauthorized individ- ual or entity. In today’s online world, the line between public information and private informa- tion is often blurry. For example, is information about your web surfing habits private or public? Can that information be gathered legally without your consent? And can the gathering organization sell that information for a profit that you don’t share in? However, your personal information includes more than information about your online habits; it also includes who you are name, address, phone, race, religion, age, etc., your health and medical records, your financial records, and even your criminal or legal records. Dealing with privacy is a requirement for any organization that has people as employees. Thus, privacy is a central issue for all organizations. The protection of privacy should be a core mission or goal set forth in the security policy of an organization. Privacy issues are discussed at greater length in Chapter 17, “Law and Investigations.” Legal Requirements Every organization operates within a certain industry and country. Both of these entities impose legal requirements, restrictions, and regulations on the practices of organizations that fall within their realm. These legal requirements can apply to licensed use of software, hiring restric- tions, handling of sensitive materials, and compliance with safety regulations. Complying with all applicable legal requirements is a key part of sustaining security. The legal requirements of an industry and of a country and often of a state and city should be considered the baseline or foundation upon which the remainder of the security infrastructure must be built. Illegal Activities Illegal activities are actions that violate a legal restriction, regulation, or requirement. They include fraud, misappropriation, unauthorized disclosure, theft, destruction, espionage, entrap- ment, and so on. A secure environment should provide mechanisms to prevent the committal of illegal activities and the means to track illegal activities and maintain accountability from the individuals perpetrating the crimes. Preventative control mechanisms include identification and authentication, access control, separation of duties, job rotation, mandatory vacations, background screening, awareness training, least privilege, and many more. Detective mechanisms include auditing, intrusion detection systems, and more.