This is good information -- thanks for the input Ray. It sounds like your environment is fairly static. Is that the case?
I'm interested in hearing what change controls others use when there's no regulatory requirements. Dan Lynch, CISSP Information Technology Analyst County of Placer Auburn, CA > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[email protected]] On Behalf Of Ray > Sent: Saturday, February 04, 2012 10:30 AM > To: [email protected] > Subject: Re: [FW-1] Change control > > All changes must go through change control except for the > regular IPS signature updates and adjusting them for our > environment. When they are added, the ones not applicable to > our environment are set as Deactivated on all profiles. For > the ones that do apply, their action is set to Detect and > Email so we know if they are triggered. If there are no false > positives the Action is changed to Prevent after a week. If a > vulnerability handled by IPS is later patched > enterprise-wide, that IPS signature is then set to > Deactivated on all profiles. > > Emergency rule changes, as in we need to stop something NOW, > can be done without prior approval but then are documented as > an emergency change with the reason noted as to why approval > was not obtained in advance. These are usually off-hour > alerts that cause these. > > We're in banking and the primary regulator concern is that > all changes are known to management, not necessarily that > they were all approved in advance. The FFIEC guidelines in > fact do say that the administrators need to have the > flexibility to make un-preapproved changes of an emergency > nature that are needed to protect customer and company data. > > All change control requests must be written so that anyone > reading it in the future, especially auditors and regulators, > can easily understand what was done and why. The most common > reason for delays in approving changes is that there is > insufficient detail. Same day approval and change is possible > but we try to avoid it. > > We only have two people who actually have credentials to make > changes. That really minimizes cowboy changes. > > We have the email alert action set to an Exchange > distribution list. When alerts go off they are emailed to > both administrators and managers 24x7, to work accounts and > phones. In SmartView Monitor we have its alerts set to email > also. All policy installations generate an email alert so > everyone knows it happened. > > Ray > > > Date: Fri, 3 Feb 2012 14:17:12 -0800 > > From: [email protected] > > Subject: [FW-1] Change control > > To: [email protected] > > > > I'm interested in what other organizations do in the way of > change controls for their firewalls. Are all firewall changes > subject to the change control process? Which ones are and > aren't, and how do you decide? What's the process? How long > does your approval process take, and who's involved? How much > discretion does the firewall administrator have? I realize > there will be a lot of "it depends", but I think it may be > useful to get a broad baseline idea of what other peoples' > real world practices are. > > > > Thanks > > > > Dan Lynch, CISSP > > Information Technology Analyst > > County of Placer > > Auburn, CA > > > > Scanned by Check Point Total Security Gateway. > > > > ================================================= > > To set vacation, Out-Of-Office, or away messages, > > send an email to [email protected] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your > > subscription options, email > > [email protected] > > ================================================= > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= Scanned by Check Point Total Security Gateway.
