In terms of data security – what things in relation to an application go through corporate change control? Say in the context of a payroll application, running server 2003 (virtual machine), SQL server database, accessed via a web browser albeit an intranet based app – so running IIS etc.

I want to check our admins manage and administer these applications with change control in mind. So, specific to say a payroll app – can you give 5 examples of “management tasks”, “security tasks”, “administration tasks” that would go through change control.

And also – when we say go through change control, what “controls” would you expect to see to demonstrate effective change control?

asked 11/20/2011 09:48

pma111's gravatar image

pma111 ♦♦

3 Answers:
I would say everything, all changes to the production system should be handled in an organized manner.

One option would be to use some aspects of ITIL change management. In ITIL, changes are divided into 3 categories:

- Normal change: all changes that go through the full change management process
- Standard change: predetermined and pre-approved changes
- Emergency change: high priority changes or fixes that need to be done quickly

The full change management process requires a service ticket or order to be created (change request or CR in ITIL lingo), which describes e.g. the impact of the change, management approval, testing and a back-out plan in case the change causes problems. All changes that are often repeated such as daily maintenance tasks, password changes, user account creation etc should be made into standard changes, where they don't need separate approval and testing. Normal changes are typically configuration changes, software installations, minor version updates etc. Emergency fixes are typically urgent security updates or configuration changes.

The point of change management is that no unapproved or unmanaged changes are made to the systems, and there's a clear change history of what changes have been done, when and why. Optimally you should have some sort of ticketing system to manage and archive the change tickets, but this can also be done just by email approvals and excel sheets where the changes are logged.


CoccoBill's gravatar image


Thanks Bill.

I was wondering if people could suggest a top5 higher risk changes you'd typically encounter for any given IT system - so I can check these for appropriate change control and back up plans - or evidence their of.

answered 2011-11-21 at 23:54:11

pma111's gravatar image


Kind of saying sort of risk assessment based on the environment but I see that a old paper quite relevant in the primary aspects of maintaining security by default with least privilege in areas of people, technology, and process. It may not give you the full answers to your query but minimally a start of of the right control for managing changges and interaction btw those entity will require a robust role based access control. This also bring in the importance of a identity mgmt systems to address insider threats with logging and audit trails for anomaly and fraudulent acts.

No best of both worth in preventing and detecting 100% but we can stay close to achieving both when we start off we an agreed enterprise security policy baseline applied across the systems and from there assigned the RBAC and start off the logging. May not be straightforward in implementation - to that I agreed.  Security is a process not a product ... I tend to relate change control with security a lot

Probably, the Top 35 Mitigation Strategies on the key threats highlighted by Australian govt may interest you - esp their one table summarising of the threats.

answered 2011-11-22 at 02:29:56

breadtan's gravatar image


Your answer
[hide preview]

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments


Asked: 11/20/2011 09:48

Seen: 427 times

Last updated: 11/27/2011 08:53