Are you ready for your next regulatory compliance audit? Do you have processes in place for tracking system changes? Have you been following all of the processes and procedures when making changes to your servers and other IT Organization system?
Personally, I have been through an ISO audit on one of my large projects and am proud to say that my project management was rated 100% Green. Yes, I am proud because although the audit is the final outside auditor review, that 100% Green rating means that my project management was following company process.
If you are preparing for your next audit and are not using a Change Management solution, check out the offer below.
I was quite entertained by the Ericka Chickowski article, Learning From Auditor War Stories. I was also alarmed. The stories are from the frontline - directly from the auditors. All of the stories have humor, if you are not the one who was being audited. My favorite was about a Change Management requirement that was NOT followed - while being audited!
Walt Conway, a QSA for audit firm 403 Labs, recounts an episode where his audit uncovered a firewall rule that seemed out of place. The person he was working with was eager to help the audit, and so he offered to change the rule on the spot - a big no-no given that the company had change management policies in place for an approval and ticketing process. It was what he called "a problem of excellence."
The person was qualified, good, knew what he was doing and did the right thing, "sort of," Conway says. "But it wasn't the right thing from a security point of view. It wasn't documented, there was no trail, and when he disabled the rule there wasn't a comment put that this was disabled on such and such a date."
A better alternative would have been for the employee to have told Conway that he'd write down the issue and address it during a regularly scheduled firewall update or initiate an emergency change process. As Conway puts it, organizations should be following the procedures all of the time, but "at the very least when the assessor is sitting there."
This is a great example of a process in place but not followed. Even with the best of intentions, do not neglect to follow your processes. Make sure that your team is ready for your next audit by implementing a Change and Release Management solution - that they will actually use! And may you receive 100% Green on your next audit.