Configuration / Change Management Review
Virtual CISO Services ISO 27001
Configuration / Change Management Review Information
Effectively managing the never-ending changes necessitated by changing business conditions is a challenge for virtually every organization. Managing the configuration means providing reasonable assurance that the potentially significant risk resulting from these changes is fully managed as well. Configuration/change management reviews are intended to provide management with assurance that critical change management processes are in place and operating as intended.
Key activities include:
- Obtaining an understanding of the control processes including; process flow, roles and responsibilities, asset tracking and tools, control and logging of changes, communication requirements, and metrics leveraged;
- Reviewing the design of the central repository against critical objectives including compliance with relevant laws/regulations;
- Collecting initial configuration information, establishing baselines, verifying and auditing configuration information, and validating the configuration repository; and,
- Validating that change management and incident management procedures are appropriately integrated; and,
- Formal reporting on the process, gap analysis, relevant findings, and mitigation roadmap. Where possible the report will also include: root cause analysis, peer-group benchmarking, good practice benchmarking, executive summaries, and technical summaries.
The predominant benefits realized by a Security Code Review are:
Provides assurance that the organization effectively controls change to the enterprise IT systems, resources and networks whilst maintaining or improving system availability.
Configuration / Change Management Review: Best Used
Dependent upon client objectives and request for attestation we may employ various Network Penetration Testing
- As a means to perform root cause analysis for vulnerabilities that may have been introduce by poor change management processes; and,
- Where business and security requirements change frequently resulting in a higher risk relating to the change management process.