10.1.2 Change Management

Illustrative Controls and TIBCO LogLogic Solution

Managing the changes addresses how an organization modifies system functionality to help the business meet its reporting objectives. Deficiencies in this area might significantly impact reporting. For example, changes to the programs that allocate data to accounts require appropriate approvals and testing before the change to ensure classification and reporting integrity. Businesses must ensure that requests for program changes, system changes, and maintenance (including changes to system software) are standardized, documented, and subject to formal change management procedures.

Activity logs provide numerous ways to monitor system change activity to determine if change management procedures are correctly implemented and being followed under requirements 10.1.2(a), (b) and (c). Auditors review specific change management policies and then attempt to validate that they are followed by checking documentation/email trails. They use logs as a final validation to determine that the changes indicated in documentation were actually implemented in the manner and at the time prescribed. Specifically, administrators should:

  • Have reports that identify all changes to firewall and router configurations and ensure that all changes are authorized. The most efficient way to identify configuration changes is at the time of the modification.
  • Administrators should set up alerts so that any changes to the configuration, authorized or otherwise, are detected and notified.
  • Have reports that periodically review all firewall rules to ensure that accurate access control are listed.
  • Have reports that review network traffic correlated with the firewall policy to ensure that appropriate rules are used to protect the company.
  • Have reports that monitor all changes to the production environment and compare the changes to documented approvals utilizing alerts and reports on policy modifications, groups activities, escalated privilege activities, permissions changed.
  • Ensure that only authorized software is permitted for use by employees using company IT assets.
  • Validate that application software and data storage systems are properly configured to provision access based on the individual’s demonstrated must view, add, change or delete data.

To satisfy this control objective, administrators must review all changes to the production environment and compare the changes to documented approvals to ensure the approval process is followed. From the archived audit log data, obtain a sample of regular and emergency changes made to applications/systems to determine whether they were adequately tested and approved before being placed into a production environment. Trace the sample of changes back to the change request log and supporting documentation.

Administrators must set up formal change management procedures to handle in a standardized manner all requests (including maintenance and patches) for changes to applications, procedures, processes, system and service parameters, and the underlying platforms.

Configuration management ensures that security, availability, and processing integrity controls are set up in the system and maintained through its life cycle. Insufficient configuration controls can lead to security and availability exposures that might permit unauthorized access to systems and data and impact reporting.

Reports and Alerts

Use the following link/reference to see the 10.1.2 reports and alerts: TIBCO LogLogic Reports and Alerts Quick Reference.