I have frequently come across a question – “How can we control unauthorized changes?” Some of the most common response that I have come across are:
To answer the above question, IT Security Management process has to be tightly integrated with Change Management. As part of the IT security process and policy definition, a security policy has to defined whereby ‘write’ access to the production environment can be granted to the concerned stakeholders, including the ‘administrators’ only when a change is approved and the concerned stakeholder is responsible for the change.
The defined security policy would be implemented by Access Management. Granting and revoking access can be automated by linking the approved change, implementer ID and change schedule with the access control application.
This process would ensure that no one has the access to the environment unless the same is approved by change management, which would be an approved change request. Thereby, proactively making certain that only approved changes are implemented to greater degree of accuracy (an approved stakeholder can still make some change which is not approved in the environment one has access to for implementing an approved change but such instances would be extremely rare)
- Discovery tool can help in identification of the change of state, which if not approved would mean the change is unauthorized. This is reactive; in reaction to a change that has already been implemented. It can help us in identifying the unauthorized changes that has already been implemented, in case that change of state is being monitored. But if that change fails, the impact to the business would have already happened.
- We need to embed process culture to ensure that everyone follows the defined processes and policies. Again a reactive approach if one is aware that unauthorized change has taken place. May be it can help in minimizing the probability when implemented with a severe penalty clause whereby it would be a deterrent for an individual to go against the defined process or policy. But there is a saying “Thief is not a thief till one is caught stealing”. Same applies to unauthorized changes. Many organizations realizes that unauthorized change has taken place only when that change fails and impacts the business.
- Many have voiced the combination of the above two to eventually ensure that unauthorized changes are not implemented.
To answer the above question, IT Security Management process has to be tightly integrated with Change Management. As part of the IT security process and policy definition, a security policy has to defined whereby ‘write’ access to the production environment can be granted to the concerned stakeholders, including the ‘administrators’ only when a change is approved and the concerned stakeholder is responsible for the change.
The defined security policy would be implemented by Access Management. Granting and revoking access can be automated by linking the approved change, implementer ID and change schedule with the access control application.
This process would ensure that no one has the access to the environment unless the same is approved by change management, which would be an approved change request. Thereby, proactively making certain that only approved changes are implemented to greater degree of accuracy (an approved stakeholder can still make some change which is not approved in the environment one has access to for implementing an approved change but such instances would be extremely rare)