This month, we urge all infosec teams to engage in a quick 30 minute audit of your change management processes.
Here are some quick win questions to ask of the change management team:
- How often does the change management team meet & what is the time frame for turning around a change order?
- What percentage of actual changes to the environment went through the change process in the last 12 months?
- Where can we locate the documents that specifically describe the change management process and when were they last revised?
- Please describe how exceptions to the change management process are handled.
- How are changes to the environment audited against what was provided to the change management team?
- What happens if a change is identified that did NOT go through the change management process?
There are plenty of online guidance sources for additional questions and audit processes, but these quick wins will get you started. As always, thanks for reading and keep working on your monthly touchdown tasks. Be sure to touch base with us on Twitter (@microsolved) should you have any questions about the work plans.