Re: Change Control Board

Nitesh · ‎12-12-2020

Dear Team

Appreciate your suggestions for below question.

A security team member was selected as a member of a Change Control Board (CCB) for an organisation. Which of the following is one of their responsibilities?

A. Approving or disapproving the change
B. Determining the impact of the change
C. Carrying out the requested change
D. Logging the change

Option B is the best choice here as the security member responsibility would be to study & determine the impact of the proposed changes.

Option A is good choice here as members of CCB need to make the decision by approving or rejecting the change based on the information available.

Any thoughts here?

Appreciate your inputs.

Thanks

Nitesh

dcontesti · ‎12-13-2020

My thoughts on this one.

The question has at least two correct answers.

A security team member was selected as a member of a Change Control Board (CCB) for an organisation. Which of the following is one of their responsibilities?

A. Approving or disapproving the change
B. Determining the impact of the change
C. Carrying out the requested change
D. Logging the change

As part of the process, all team members should/must determine the impact of the change and then either approve or deny the change. For definition:

https://project-management-knowledge.com/definitions/c/change-control-board-ccb/

I personally like this definition of the ITIL process which shows the steps that should be taken:

https://www.cherwell.com/it-service-management/library/essential-guides/essential-guide-to-itil-chan...

Based on this information, I would answer A but would not argue that B is also correct.

The Security personnel must review the change to ensure that it meets the business requirements without damaging or interfering with security implementation but they will also be part of the decision making team.

In actuality C could also be correct........depends on the system being modified at the user's request (a change to a firewall, opening ports, changing remote access, a change to the AV system to include/exclude a directory, etc.

So I stand corrected, there are at least 3 correct answers.

My thoughts on an early Sunday morn.

Be safe, be kind

d

SecSri · ‎12-13-2020

I concur with the response. broadly speaking the role of the security team member on the CAB is two fold
1) determine the impact on security posture/risk and how it this change shall impact the improvement or reduction of security posture and thus impact the residual risk.

case in point could be a change in administrative role definition has a potentially wider impact than say opening a specific port/protocol on the firewall in a restricted fashion

2) and based on the impact on deviation from baseline/increase in risk or any contravention to commonly accepted security principles (like NO any-any rule), the security personnel must approve/deny the change.

Often times the control owner MUST be informed of the risk of the change vs makign a approve/disapprove decision. those risk based change decisions can then be fed into the risk register

PuettK · ‎12-14-2020

A is the most appropriate response in that a CCB is responsible for approving or denying the request. B) also is a good answer but it is actually part of the approve/deny request.

Beads · ‎12-14-2020

Answer B is the RCA or root cause and effect analysis before a change is approved or disapproved. Otherwise, your CCB is nothing more than a rubber stamp and nothing more. B comes before A making A the most correct answer.

- b/eads

Nitesh · ‎12-16-2020

I agree CCB role is to approve or reject the changes depending on the impact analysis but do you think a security team member will have authority to approve/reject changes.

I suppose and what we practise, a security team member will assist in analysis of the change as part of CCB and provide info to Security/Business Manager to take decisions.

denbesten · ‎12-16-2020

Yes, I have seen it happen on my own team. However, we try to avoid doing so because it rapidly turns into a pissing contest and appeals to higher authorities. Instead, our goal is that approval/conditional approval/denial be unanimous. We accomplish this by focus on recommending better alternatives, or asking questions that results in the presenter (or their management) realizing they should be implementing the change differently.