390
A Practical Guide to Security Assessments
9. How are emergency changes handled?
Guidance:
In any environment, some changes will occur that are truly
emergencies — i.e., they must be made immediately. The need to make
these changes quickly must be balanced with ensuring that all relevant im-
pacts of the changes are considered. In these cases, there should be an
emergency change process, which still ensures that the change manage-
ment process is followed — just in an accelerated manner. Appropriate
personnel should review and approve changes, and there should be an audit
trail of what changes were made. To help users determine what changes are
emergencies, the change management policy or procedure should contain
guidelines for what constitutes an emergency change so users know what
is and is not an emergency.
Risk:
Without a process for emergency changes, a risk exists that critical
changes will not be implemented in production on a timely basis. In addi-
tion, untested and unapproved changes may be introduced into the produc-
tion environment.
Client Response:
10. Who can initiate a change? Is there an list of people or roles authorized
to initiate a change?
Guidance:
To ensure that only reasonable changes are considered, there
should be some limitations on who can initiate and present changes to the
larger group — i.e., a central group of people who are responsible for man-
aging the change process. The members of the change-control committee
have other jobs, and their time should not be wasted with reviewing chang-
es that have not gone through any initial screening. This takes time away
from discussing the meaningful change requests. One way to limit who
can initiate changes is to restrict it to certain titles — e.g., only managers
and above can initiate changes. Other methods include having departmen-
tal level management doing the initial screening of change requests.
Risk:
The risk of not limiting who can make changes is that trivial or
wrong changes might be submitted for review. As a result, meaningful
changes will not receive the appropriate time for discussion.
Client Response:
AU1706_book.fm Page 390 Tuesday, August 17, 2004 11:02 AM
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.117.142.248