Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Management
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: defining change control severity

from [Brunner, Mark] Network Security [Permanent Link]
Subject: RE: defining change control severity
Date: Mon, 15 Aug 2005 09:13:28 -0400 
Laurin, I think that you are on the right track.

I've been busting my hump on this one as well, for several months.  It seems 
there is no way, or at least none that I could find, to eliminate the judgement 
call.  But then again, that is why you have well trained people in pivotal 
roles.  To make those judgement calls.

What I have done is to use a similarly weighted scale, allow judgement calls in 
the Request For Change process, and back that up two-fold by having the Change 
Approval Board review all changes, and a Technical Review of every change that 
they feel requires it or that they have further questions on.

It may not be the perfect solution, but it does allow patterns to emerge if 
someone is trying to short shrift the planning effort.  Helps to identify those 
high plains drifters who prefer to ride low in the saddle and shoot from the 
hip.

Cheers!
Mark

-----Original Message-----
From: Laurin Buchanan [mailto:buchanal@mscdirect.com]
Sent: Thursday, August 11, 2005 5:12 PM
To: 'security-management@securityfocus.com'
Subject: defining change control severity


Greetings everyone,

We are currently trying to come to a working definition of 'major' versus
'minor' change in our development process. At present we have a weighted
scale that factors in the Type, Impact and Degree of Difficulty of the
change, as indicated below:

Type of Change  
 Version Upgrade (new system)   A
 Functional Enhancement                 B
 Bug Fix / Error Correction             C
        
Impact of Change        
 Direct Financial Statement Impact      A
 Direct Customer Function Impact        B
 Behind the scenes                      C
        
Degree of Difficulty of Change  
 Major Complexities                     A
 Minor Complexities                     B
 Straight Forward - nothing complex     C
        
If there is an "A" in any of the three categories, it is deemed a major
change. A response of all "B" is likewise deemed major; everything else is
minor.

This is rudimentary at best and still involves judgment calls by
individuals, something we'd like to keep to a minimum. If anyone has
suggestions based on their own work in this regard or can provide links to
useful reference material, I'd appreciate hearing from you.

Thanks in advance, 

Laurin Buchanan, CISSP
Information Security 
MSC Industrial Direct
v: 516.812.1358
This e-mail is intended for the use of the addressee(s) only and may contain
privileged, confidential, or proprietary information that is exempt from
disclosure under law. If you are not the intended recipient, please do not
read, copy, use or disclose the contents of this communication to others.
Please notify the sender that you have received this e-mail in error by
replying to the e-mail. Please then delete the e-mail and destroy any copies
of it. Thank you.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Is there any way to measure IT Security??, Fernando Martins
Next by Date:  Security program development (Plan), Larry Erdahl
Previous by Thread:  defining change control severity, Laurin Buchanan
Next by Thread:  Security program development (Plan), Larry Erdahl
Indexes:  [Date] [Thread] [Top] [All Lists]