Chapter 107 · Security Program Management

Security Procedures

Change management and the Change Control Board, onboarding and offboarding procedures, security playbooks and SOAR automation, and governance structures — the step-by-step processes that implement security policy in day-to-day operations.

Confidential
Report ID: PROC-2024-001Domain: Security Program ManagementTopic: Change Management & Change Control Board

Change Management and the Change Control Board

Security procedures are the step-by-step instructions for how security-relevant activities must be performed. Where policy states what must be done and standards specify the technical requirements, procedures define the exact sequence of actions, decision points, and responsibilities. Procedures make policy enforceable in daily operations.

Change Management vs. Change Control

Change management is the broad process for managing all changes to IT systems. Change control is the formal approval mechanism within change management that ensures changes receive appropriate review before implementation.

The Change Control Board (CCB)

The Change Control Board is the formal governance body responsible for reviewing and approving or rejecting proposed changes to IT systems. The CCB ensures that changes are evaluated for risk, have appropriate rollback plans, and are scheduled appropriately.

Change control workflow:

  1. Scope definition: The change requestor documents exactly what is being changed, which systems are affected, and the reason for the change.
  2. Risk analysis: The potential security and operational impact is assessed. High-risk changes (touching production firewalls, active directory, or core databases) require more rigorous analysis than routine patches.
  3. Implementation plan: Step-by-step instructions for implementing the change, including timing, resource requirements, and dependencies.
  4. End-user impact assessment: Determination of how the change affects users and whether they need advance notification.
  5. CCB review and approval: The board reviews the change request and either approves, rejects, or requires modification before resubmission.
  6. Backout plan: The documented procedure for reverting to the previous state if the change fails or causes unexpected issues. This must be defined before the change window, not improvised during a failure. Without a backout plan, a failed change may leave systems in an undefined state.
  7. Documentation: After implementation, the change and its outcome are documented. Approved changes that produce unexpected results must be escalated.
The backout plan is not optional. Every change that enters a change window must have a documented, tested rollback procedure. A change without a backout plan should be rejected by the CCB.

Emergency Changes

Emergency changes (e.g., patching an actively exploited critical vulnerability) cannot wait for the next scheduled CCB meeting. Emergency change procedures allow expedited approval — typically from a designated authority (CISO, IT director on-call) — while still requiring post-hoc documentation, risk assessment completion, and CCB review at the next meeting. Emergency change procedures do not eliminate review; they expedite it.

Confidential
Report ID: PROC-2024-002Domain: Security Program ManagementTopic: Onboarding & Offboarding Procedures

Onboarding and Offboarding Procedures

Onboarding Procedures

Onboarding is the process of provisioning access, equipment, and training to a new employee or contractor. Security-focused onboarding ensures that new personnel enter the environment with appropriate access and awareness:

Offboarding Procedures

Offboarding is the process of revoking access and recovering assets when an employee or contractor departs. Offboarding failures are a significant security risk; many insider incidents occur because former employees retained active access after separation.

Disable accounts, never delete immediately. Deleted accounts may permanently destroy the ability to decrypt files the employee encrypted or verify their digital signatures. Disable first; delete after all dependencies are confirmed resolved.
Confidential
Report ID: PROC-2024-003Domain: Security Program ManagementTopic: Playbooks, SOAR & Governance

Playbooks, SOAR, and Governance Structures

Security Playbooks

A security playbook is a documented, step-by-step procedure for responding to a specific type of security event or performing a specific security operation. Playbooks operationalize incident response plans into actionable instructions.

SOAR: Security Orchestration, Automation, and Response

SOAR (Security Orchestration, Automation, and Response) platforms enable playbooks to be executed automatically, integrating with the organization's security tools to take response actions without human intervention for high-confidence scenarios.

Governance Structures

Security governance defines who has authority over security decisions, how that authority is exercised, and how security programs are structured and overseen.

Governance StructureRole in Security
Board of directorsUltimate accountability for organizational risk. Sets risk appetite. Approves major security investments and policies at the strategic level. Receives security reporting from the CISO.
Security committee / steering committeeCross-functional committee (IT, legal, HR, operations, executive) that governs security priorities, reviews security posture, and coordinates security decisions across business units.
Government entities and regulatorsExternal governance: regulatory bodies (SEC, HIPAA, GDPR supervisory authorities) impose compliance requirements that shape organizational security programs. Regulatory requirements may mandate specific controls, reporting timelines, and audit obligations.

Centralized vs. Decentralized Governance

Organizations must choose how security governance authority is distributed:

SOAR automates the execution of playbook steps. Without playbooks, SOAR has nothing to automate. Playbooks come first; SOAR enables automated execution at scale and speed.