CyberSecurity Validation Change Control
 

CyberSecurity Validation Change Control

on

  • 976 views

CyberSecurity Validation Change Control

CyberSecurity Validation Change Control

Statistics

Views

Total Views
976
Views on SlideShare
976
Embed Views
0

Actions

Likes
2
Downloads
30
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

CyberSecurity Validation Change Control CyberSecurity Validation Change Control Document Transcript

  • Changes to CyberSecurity software and infrastructure must be documented and validated. This requires meticulous preparation of sequential work steps within a carefully planning Change Management process. The validation process must be carried out immediately following any changes to CyberSecurity software and infrastructure utilizing a similar structured approach that includes sign off and pre-authorised before changes can be initiated. The Change Advisory Board normally oversees the Forward Schedule of Changes. The following document outlines the CyberSecurity Validation Change Control requirements for planned change management. ============================== BEGINNING OF DOCUMENT ============================= CYBERSECURITY VALIDATION CHANGE CONTROL CVCC# _example_[14167_CVCC] Page 1 of 4 SECTION I - CHANGE INITIALIZATION SOFTWARE OR INFRASTRUCTURE SYSTEM: ______________________________________________ LOCATION: ________________________________________________________________________ IDENTIFICATION: _______________ VALIDATION STATUS (complete/in progress): ______________ ORIGINATOR: (Name/Department): ___________________________________________________ DATE CVCC PREPARED: __example_[June_16th_2014]_ EFFECTIVE DATE OF CHANGE: __example_[June_24th_2014]_ DESCRIPTION OF MODIFICATIONS/PROPOSED CHANGE(S): Step 1: example only [Save all user libraries from current live system and restore one to new.] Step 2: example only [Test print, network access, business systems, cloud systems.] Step 3: example only [Upgrade operating system from 'XYZ' to 'XYY'.] Step 4: example only [Repeat Step 2.] Step 5: example only [Business Unit Team will conduct functional testing.] Step 6: example only [Refresh live data.] Step 7: example only [Deploy changes to all desktops, laptops, and tablets.] Step 8: example only [Complete another full back up.] REASON(S) FOR THE MODIFICATION(S)/PROPOSED CHANGE(S): __example [Due to increased use of the business application 'XYZ' the current system configuration can no longer support the volume of through-put which 'XYZ' is now generating. As a result it is now necessary to upgrade the hardware processor to a higher model capable of supporting the new requirements.]_______________________ ___________________________________________________________________________________ ___________________________________________________________________________________ This information has been shared freely by Mark E.S. Bernard. If you find it useful please acknowledge this contribution. If you would like additional information or assistance with the customization and implementation of a balanced risk management process for your security program then please contact Mark @ 604-349-6557 or mesbernard@gmail.com Page 1 of 4
  • CYBERSECURITY VALIDATION CHANGE CONTROL CVCC# _example_[14167_CVCC] Page 2 of 4 SECTION II - IMPACT ASSESSMENT IMPACT STATEMENT; Include the following: 1. Compliance Impact; 2. Database integrity; 3. System security; 4. End user procedures; 5.Additional training requirements; 6. Periodic or on-going testing requirements; 7. Documentation requirements; 8. Full revalidation requirements (i.e., supporting statement). 1. Compliance Impact: example [This software migration will have no effect on Compliance Risk. Functionally the software will interact as before.] 2. Database integrity: example [This software migration will have no effect on the database integrity. All current files will be installed on new server using the back-up restore function.] 3. System security: example [This software migration will have no effect on the system security, security files will also be migrated intact.] 4. End user procedures: example [This software migration will change the IP address used to connect to the server by the business user, training will be provided to walk users through the user manual instructions for minor sign on changes.] 5. Additional training requirements: example [Additional training will not be required.] 6. Periodic or on-going testing requirements: example [No on-going testing is required for this software migration.] 7. Documentation Requirements: example [Screen prints and system generated reports will be compared to the same reports generated from the original production systems. A listing of objects saved and copy of the job log when the objects are restored will be created and verified to confirm complete migration of files and data.] 8. example [Full revalidation will not be required as we have already validated the 'XYZ' software that will be installed, and operating system tests will be conducted at the time of installation.] IMPACT EVALUATION REVIEWED AND APPROVED BY: ____________________________________ Originator Signature and Date: ______________________________________________________ IT Director/designate and Date: ______________________________________________________ Quality Assurance/Control Director/designate and Date: __________________________________ Validation Manager/designate and Date: ___________________________('XYZ' System Coordinator) ALL DESIGNATES MUST INCLUDE TITLE OF POSITION HELD. This information has been shared freely by Mark E.S. Bernard. If you find it useful please acknowledge this contribution. If you would like additional information or assistance with the customization and implementation of a balanced risk management process for your security program then please contact Mark @ 604-349-6557 or mesbernard@gmail.com Page 2 of 4
  • CYBERSECURITY VALIDATION CHANGE CONTROL CVCC# _example_[14167_CVCC] Page 3 of 4 DOCUMENTATION, TESTING, BACKUP AND BACK OUT REQUIREMENTS (Include all re-testing requirements, tape backup and hard copy requirements. Identify responsible parties): _____________ ___________________________________________________________________________________ DOCUMENTATION REQUIREMENTS: Provide print screens to demonstrate that the installation has been correctly completed. Attach all installation testing checklists. All checklists must be reviewed by Organizational IS validation departments. FUNCTIONAL TESTING: example ['XYZ' application testing of core modules will be completed following the installation as per a predetermined test plan. All documented testing related to the test plan will be attached to the CVCC.] BACKUP PROCEDURES: example [A full backup of the 'XYZ' system will be completed for the LIVE environment both before and after the software migration is attempted.] BACK OUT PROCEDURES: In the event that the install process does not provide the expected results and we are forced to back out the system changes, the following details must be documented: 1) The procedure executed and individual signature/Date. 2) Cause or reason for back out. 3) Other corrective action or follow-up required. FOLLOW-UP PROCEDURES: ___________________________ SECTION III - TESTING REPORT TESTING REQUIRED: ____YES/NO______ SUMMARY OF RESULTS: ___n/a_________________________________________________________ ___________________________________________________________________________________ ___________________________________________________________________________________ ___________________________________________________________________________________ ___________________________________________________________________________________ REFERENCE RAW DATA: ___n/a_________________________________________________________ ___________________________________________________________________________________ ___________________________________________________________________________________ ___________________________________________________________________________________ ARE RESULTS SATISFACTORY ?______YES/ NO _____________________________________________ ___________________________________________________________________________________ ___________________________________________________________________________________ ___________________________________________________________________________________ This information has been shared freely by Mark E.S. Bernard. If you find it useful please acknowledge this contribution. If you would like additional information or assistance with the customization and implementation of a balanced risk management process for your security program then please contact Mark @ 604-349-6557 or mesbernard@gmail.com Page 3 of 4
  • CYBERSECURITY VALIDATION CHANGE CONTROL CVCC# _example_[14167_CVCC] Page 4 of 4 ATTACHMENT INCLUDED: _____________________________________________________________ ___________________________________________________________________________________ ___________________________________________________________________________________ ___________________________________________________________________________________ RECOMMENDATIONS: ________________________________________________________________ ___________________________________________________________________________________ ___________________________________________________________________________________ ___________________________________________________________________________________ ___________________________________________________________________________________ ___________________________________________________________________________________ TEST RESULTS AND RECOMMENDATIONS REVIEWED AND APPROVED BY: Originator Signature and Date: _____________________________________________ IT Director/designate and Date: _____________________________________________ Quality Assurance/Control Director/designate and Date: _____/_____/ ______ Validation Manager/designate and Date: _______________________________('XYZ' Coordinator) ALL DESIGNATES MUST INCLUDE TITLE OF POSITION HELD. ================================ END OF DOCUMENT ================================= This information has been shared freely by Mark E.S. Bernard. If you find it useful please acknowledge this contribution. If you would like additional information or assistance with the customization and implementation of a balanced risk management process for your security program then please contact Mark @ 604-349-6557 or mesbernard@gmail.com Page 4 of 4