1 REQUEST & APPROVAL
The initial phase of a change management process is the request for change, or RFC. In most cases, this will be entered into a change management application and submitted for consideration by the change advisory board (CAB). Usually this board includes representatives from the help desk, network operations, servers and system administration, security, internal audit, database management and application development. Other members may represent legal, operations and administrative departments.
Once the CAB allows the RFC to proceed, it must progress through a chain of approval that allows all stakeholders involved to determine whether the change should be executed. Information security teams should be involved in the approval process, and make approval decisions based on perceived risk to the organization for the requested change. This initial phase of the change management process should have a built-in feedback loop, so approval workflow members can ask the change requestor questions or discuss ramifications with other stakeholders.
Security must:
- Ensure the request comes from a valid source that is authenticated and authorized to request a change by checking user accounts and repositories, identity management systems and log files.
- Establish an audit trail for change requests--who made the request, who logged in to the change management system to review the change, who was involved in approval, and who made comments on the change.
For security teams implementing changes for their own systems, such as IPSes and firewalls, important in-formation to provide in the RFC includes the actual technical changes to be made, systems to be affected, and the possible risks to those or other systems in the environment. Potential risks resulting from not implementing the change should also be recorded.
 |
|
|
|
|
|
|
|
|
|
takeaways |
|
|
|
|
|
|
|
|
|
|
REQUEST & APPROVAL
Security's Role...
- Authenticate change requestor
- Establish an audit trail for requests
|
|
|
|
|
|
|
|
|
