Going through an audit is certainly no fun. But if you aren’t set up to prove continuous compliance, then you are sure to have multiple, painful audits every year. In last week’s “Simplifying Firewall Audits and Ensuring Continuous Compliance” blog (Part 1) we focused on gathering the information needed for an audit.
In part 2 of this blog series we will focus on reviewing firewall change processes, which is extremely important in terms of “continuous compliance” because change is a given in today’s network. Too often organizations prove compliance at one particular point in time, only to fall out of compliance later on. If you don’t have a sound firewall change management process in place – that is known by all stakeholders and enforced – then you can easily fall out of compliance as changes occur regularly. A proper change management process will ensure traceability of firewall changes and sustainability over time… to ensure continuous compliance. Let’s examine this some more…
Step 2: Review Your Firewall Change Management Process
Poor documentation of changes, including why the change is needed, who authorized the change, etc. and poor validation of the impact on the network are two of the most common issues when it comes to firewall change management. As time goes on, this challenge is exacerbated by staff turnover – that internal knowledgebase of why a change was made disappears and then you’re left wondering what you should do. Here are a few key recommendations to consider:
- Review the procedures for rule-base maintenance. Make sure you can answer questions such as:
- Are requested changes going through proper approvals?
- Are changes being implemented by authorized personnel? And are they being tested?
- Are the changes being documented per regulatory or internal policy requirements? Each rule should have a comment that includes the change ID of the request and the name/initials of the person who implemented the change.
- Is there an expiration date for the change?
- Determine if there is a formal and controlled process in place to request, review, approve and implement firewall changes. This process should include at least the following:
- Business purpose for the request
- Duration (time period) for the new/modified rule
- Assessment of the potential risks associated with the new/modified rule
- Formal approvals for the new/modified rule
- Assignment to proper administrator for implementation
- Verification that change has been tested and implemented correctly
- Determine whether or not all of the changes have been authorized. If you discover unauthorized rule changes, flag them for further investigation.
- Determine if real-time monitoring of changes to the firewall is enabled and access to rule change notifications is granted to authorized requestors, administrators and stakeholders.
Taking these recommendations into account will get you off to a good start with solidifying your firewall change management processes and ensuring continuous compliance. In the next blog of this series we’ll examine the need to audit the firewall’s physical and OS security.
Subscribe to Blog
Receive notifications of new posts by email.