Hi, we also use browser based form (in fact a ticketing tool) in which we specify what all changes needs to be made. For Firewall related forms we have MANDATORY fields like source, destination, Ports, Protocol, If the change is temporary or permanent (if temp, specify end date), Impact and Business justification of the change. There is also a field which asks for date/ time of the change. However, the changes are made only twice a week.
In our scenario,
Example 1:- say Unix team requires some ports to be opened on firewall, the change requester opens a request in the tool. The request first goes to the MANAGER/ Lead of Unix team for the approval. Then, the request goes to Firewall Mgt Lead/ Manager to see the technical stuffs in the request. If he approves, the request finally goes to IT Security department wherein CISO approves the change.
Example 2:- Windows team needs to build a server (say physical). They have to build it offline, as they are not provided with the IP address by Network team without going through a change control process. Once they get the IP address, the server is put in an isolated segment (say DEV/ QA) until security tools (AV/ HIPS/ Sec mgt tools etc) and all the relevant patches are installed on them. The server is checked against the hardening policy by Server Admin, and then it is scanned against the security tool in order to check if the server complies with the security policy. Once, all is OK, a form is signed by Server admin, security admin who ran the scanning tool and IT Security. Then only the server is put in Prod network.
The changes with higher impact are first discussed in Change Advisory Board.
There are absolutely no changes that people can make without going through the change management framework.
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
In our scenario,
Example 1:- say Unix team requires some ports to be opened on firewall, the change requester opens a request in the tool. The request first goes to the MANAGER/ Lead of Unix team for the approval. Then, the request goes to Firewall Mgt Lead/ Manager to see the technical stuffs in the request. If he approves, the request finally goes to IT Security department wherein CISO approves the change.
Example 2:- Windows team needs to build a server (say physical). They have to build it offline, as they are not provided with the IP address by Network team without going through a change control process. Once they get the IP address, the server is put in an isolated segment (say DEV/ QA) until security tools (AV/ HIPS/ Sec mgt tools etc) and all the relevant patches are installed on them. The server is checked against the hardening policy by Server Admin, and then it is scanned against the security tool in order to check if the server complies with the security policy. Once, all is OK, a form is signed by Server admin, security admin who ran the scanning tool and IT Security. Then only the server is put in Prod network.
The changes with higher impact are first discussed in Change Advisory Board.
There are absolutely no changes that people can make without going through the change management framework.
Thanks,
Kartik, CISSP, CISM
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------
[ reply ]