Archive for June 2014

Is your change-management process working? Do you even have one?

No Comments »

Do upgrades to your corporate systems happen because of deliberate reflection and defined testing, or do changes get introduced “on-the-fly?” The latter is more common that we all care to admit, but it can be a costly way to do business when an untested change causes an entire system to behave in unexpected ways--sometimes things even cease to operate. 

The value of the productive hours lost is part of the real cost of poorly-implemented changes to systems, so make sure that all changes are planned, approved, tested, and documented, along with some form of a back-out strategy. You never know... things don't always work out quite the way we expect, now do they?

Consider forming a Change Management Committee and make sure that senior members (who might be construed as stake-holders) from across your organization participate in its activities.

Finally, communicate, communicate, communicate: Make sure that everyone who needs to know about an upcoming change actually gets the memo. Surprises can get ugly.

Have You Defined Standards for Each System?

No Comments »

Unlike policies and procedures, which are mandatory in nature and apply to all members of the organization, a standards document is specific to the information system that it belongs, and sets forth goals for implementation of that system. 

As we all know, there’s more than one way to implement a system, and keeping track of how your organization has chosen to set up controls in each application is a great idea. Still, core concepts of security implementation at your organization can be identified and codified for each system, regardless of the endless variety.

These standards documents can be as detailed or as high-level as you wish, but they will always be specific to the system and will be advisory in nature. Make sure that your security teams can demonstrate how day-to-day activities relate to the code of behavior in each standard.

Who Owns the Data vs. Who Maintains the Data

No Comments »

In the age-old battle of data and systems administration, organizations must understand who actually owns the data contained in the applications. Data center staff may well administrate the programs and the operating system upon which the programs depend, but their role in ownership is limited.

Access to sensitive data must be authorized by the department or group who create and maintain the actual content of the system. They alone should decided who gets access to the system, since they know all their departmental players, and are best suited to determining who has an actual business need for access.

Systems maintenance staff are the perfect choice for maintaining the software that runs the application, the operating system that supports the application, and the hardware that houses the application. They are not the best folks to decide who gets access to the data.