The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/80353
ISO for when the enterprise consists of a small number of servers, data classification can determine how to track and/or dispose of unwanted hardware. The fewer controls implemented in asset management, the more important data classification becomes for firms that are not large enough for a full implementation of either asset management or data classification. Control Change It seems as if every technology department's most dreaded process is change control. Don't look to ISO to give the technology team a break when it comes to controlled change to the environment. It actually requires an industry standard that takes into account oversight specifically related to security. But, technology teams should be great fans of change control processes; there is a wealth of operational knowledge in the change environment. It has been said that you can't manage what you don't measure. That is never truer than when it comes to technology metrics. The process that delivers the most metrics is change control. Questions addressing the type, frequency, severity and potential or measured impact of change can be answered by mining change control data. Everyone: Upgrading (Intelligently) to the New Normal The effort involved in tracking change data shouldn't be a barrier to implementing a sound change control process. There are a number of ways to limit the amount of documentation produced by change control when applying risk-based approaches to the change process. For example, by producing a risk assessment related to maintenance changes, it might be determined that the routine changes do not pose a great risk to the environment; thus, the policy for this type of change does not require full change control board approval, nor does it require scheduling. And, it could be argued, that development or test servers require no change management at all because they are not production servers. Although change control is extremely valuable in large organizations, it can be leveraged in small technology departments as well. There is no requirement to implement a change control application dedicated to the process; nor is it a requirement to create metrics from the data. Something as simple as a spiral-bound notebook, where the changes are logged and a separate staff member performs the oversight, is just as effective a process. If this latter solution is something that is beneficial, be sure not to use electronic Excel spreadsheets as a "sign-off" sheet. This type of evidence is not appropriate in a standards-based environment. (Auditors like signatures, not initials typed in spreadsheets.) implemented processes — change control, risk management, security awareness and data classification — to make this evidence requirement more manageable. • Because the technology department in this fictional large firm uses data classification, the technologists know the difference between critical servers and everything else. This allows the control to state, "The technology department reviews the logs on critical servers daily." This will reduce the evidence requirements from two million to 36,000. • The security awareness process has alerted them to review the security logs, as they hold the most critical information. They can now write the policy to say, "Security logs of critical servers are reviewed daily." Now the evidence is reduced to slightly over 14,000. • Using change control and incident management data, technology can look at the changes made to the critical servers and incidents related to them to determine the frequency of changes and any security-related incidents impacting the servers over the last two years. The technology team then produces a risk assessment to determine the risk related to looking at those logs at some other interval. This would make the policy statement, "Security logs of critical servers are reviewed monthly (or quarterly)." The resulting evidence requirement is limited to 480 and 160 respectively. Using core operational controls has allowed the firm to go from over two million pieces of evidence to a lean 160. This ensures a clean, focused and valuable policy and procedure. The most important thing to remember about leveraging process to limit documentation is that it requires documented proof that the data classification, risk management, change control and security awareness processes were invoked to come to this conclusion. Peer to Peer 63