To monitor changes, we recommend that you implement a change control mechanism to track security policy changes that result in changes to control options, configuration options, pertinent ACIDs, permits, and so on.
Business Value:
An audit of a security control may require that you substantiate your change controls.
Additional Considerations:
Frequently a site implements a security policy through particular control options and that policy remains defined permanently, even though the underlying business case behind the policy has been modified or deleted.
Consider the situation whereby security controls are put into place to govern access to an application running on a specific application platform. If you move the application to a different platform or delete it altogether, security administrators may not be aware of this change. Consequently, they may continue to maintain a portion of a security policy that is no longer valid.
|
Copyright © 2010 CA Technologies.
All rights reserved.
|
|