topic Security Procedures contents in Governance, Risk, Compliance

Security Procedures contents

2912 — Tue, 28 Dec 2021 04:06:49 GMT

Hi All

I’m preparing a Change Control Procedure for my company. I’m just wondering if it is appropriate to add a “Scope” to specify what is in scope and what is not?

Some of the scopes include the following:

In scope

Software: installation, patch, upgrade or remove software, including off-the-shelf applications, OS and in-house developed applications.
Database: changes to DB structure
Hardware: Installation or modification of computing equipment and services

Out of scope

Desktop: installing a Bluetooth mouse, changing the Windows system’s language interface, etc.
Daily administration: reset user password, modification of user roles and security groups.

I appreciate any help you can provide.

Re: Security Procedures contents

tmekelburg1 — Tue, 28 Dec 2021 17:00:09 GMT

Does your company have any docs in-between a policy and procedure related to change management (CM)?
Is the CM procedure mostly viewed by the technology staff/admins if they have questions on what to do if they receive a CM request?

Me personally, I keep Policy short with pointers to a Standards doc and Procedures doc. The Standards doc is where I'd put the detailed list of what's either in scope or out of scope and I can change it as often as needed. Some Orgs don't have anything in-between and if that's the case here, place it in the procedure doc because you wouldn't want to go through all the admin hurdles of updating policy to make minor changes to the list.

Re: Security Procedures contents

2912 — Wed, 29 Dec 2021 02:30:16 GMT

Hi tmekelburg1

Thanks for your advice. We have a policy and procedures in place, but no other doc in between. I'll put the scope in the procedure file as suggested by you.

Thanks.