President's blog focused on industry trends and best practices.

Evaluating Firewall Change Requests for Applications in Large Organizations

October 27, 2006 (adapted from April 14, 2005)

Evaluating firewall change requests for applications, in large organizations, in a timely and risk-effective manner can be challenge. Having a procedure before you are faced with sudden pressures from business groups will help to ensure the success of your mandate and your relationships. Unfortunately, there isn't much practical advice available in the public domain.

Risk management standards such as the AS NZS 4360, the ISO TR 13335-3 (GMITS) and the ISO 17799 don't provide operational guidance on security change management. And the ITIL books don't help with the specifics of this matter either. So, here is an outline towards an "open procedure" for evaluating firewall change requests in large organizations.

[reduce to abstract]


Things needed prior to the request:

  • A policy regarding your firewall and the expected turn-around time for assessing such requests.
    • Hopefully with understanding and buy-in regarding the risks of opening ports on a corporate firewall and making changes too frequently.
  • Defined application standards and requirements.
  • A policy and process for application selection and evaluation that is either led by, done jointly with, or reviewed by, Information Services and Security.
  • A process for risk assessment.
  • A process for handling exceptions including defined decision makers.
  • An understanding of the priority of such requests, from your department's perspective, generally speaking (prior to value and risk assessment), with consideration for the corporate priorities and security priorities.

Request and Review

Follow a formal request and review process

  • Skim the request to confirm that a change is required.
  • Request the project charter, business case and plan.
  • Provide the general policy.
  • Is the project charter approved?
  • Is the project in the IT plan/budget?
  • Has sufficient budget been allotted for
    • IT and Security operations?
    • corrective actions or compensating controls? (not fully known)
  • What is the business value of the project?
  • What is the priority of the project/request?
  • Will the requested change, or application design, violate any policies? If so, is an exception being requested?
  • Is risk assessment required, or are the risks obvious from a cursory review?

Risk assessment and exception handling

Perform a risk assessment that includes and understanding of the business value.

  • Review the application, the sensitivity of the data involved, solution alternatives and compensating controls.
  • Determine/require the parameters of the exception: the management action plan to attain compliance by defined dates.
  • Forward the risk assessment and exception to the decision makers
  • Notify audit when an exception is approved or granted