A recent change control question by a colleague, observations over the past year with two clients and PCI DSS related blog coverage prompts me to write this post.
The change control processes followed by the two clients, although implemented and in place could not be more different. One had a mature process with Change Management framework in place with Change Analysts reviewing the requests in the queue, with the awareness necessary to allocate these request on to the right business function for assessment/approval using a relatively mature tool that aided the process. The processes around regular reviews of Changes by key stakeholders were also in place to discuss the requests. The other client had an in-house tool developed to log and track requests. However, the framework on managing the requests was very weak with the Change management team not fully understanding the business and also not aware of who to assign the change to or when to close the request.
PCI DSS covers Change Control related requirements primarily in 6.4 but it seems CC is not given the emphasis that is needed in the security community probably because it is seen more as a service management function. I believe in the below Security Programme Life Cycle diagram and I have come across discussions around this in blog posts quite frequently. Business environments change for various reasons and a good Change Control framework is not only important for agility and adaptiveness of the business but also for the benefit of Security management to maintain the security posture of the environment and in cases improve it too!
While I agree that a mature change control process is going to be much better than a cobbled together one, the problem is that as a QSA, I only have a limited amount of ability to judge mature vs. cobbled. If a change control process is handled via emails and other kludges, but has all the required components, like a backout plan and management approval, I pretty much have to accept it, I can't say "it's not mature enough to pass". What I can, and do, do is make certain that when I come back the next year they've shown progress and maturation of the process. And sometimes I still have to walk away shaking my head.
ReplyDeleteCongrats McKeay, you've won the 'first-comment-on-the-secyority-blog' award! :) Seriously, thanks for reading the blog and taking the time to comment. I share your pain from my relatively short QSA stint. Yes, the organisation will be compliant by successfully passing the assessment but for how long? If the right change process is not followed where CRs are assessed and approved by appropriate authorities, the security posture will probably deteriorate and potentially lead to an incident. But that's a business decision, to live with the pain or do something about it. QSAs will assess and generally advice best practice.
ReplyDelete