I recently had someone contact me and ask about the change management item I list in my Firewall Best Practices document. This person’s inquiry revolved around them trying to get management to adopt change management practices and the troubles associated with having to properly and realistically explain to management the risks involved of not having good practices. This person wanted to know if I could explain the risks involved when a firewall best practice such as this is not implemented and potential exposure an organization could face. A book could be written about the specifics regarding change management and firewalls. Here’s a good real-world example I’ve experienced…
Not too long ago I worked on a project where a network admin in a large organization made an offline/out of process change to a critical firewall that ended up creating hours of downtime for their e-commerce customers. That loss PLUS a couple weeks of consulting time to figure out what went wrong and how to prevent it in the future created some pretty serious business risks and costs. Stuff that didn’t have to be IF:
I’ve always said and it deserves repeating here: as long as people have their hands in security, there will always be vulnerabilities and business risks.
“A business associate referred our company to Principle Logic when we were seeking a resource to perform vulnerability /penetration testing for our external and internal networks. We found Kevin Beaver to be professional, well informed, and easy to work with. His testing did not disrupt our networks, and his progress updates were timely.
His final report was very thorough and included security recommendations for our network environment. The executive leadership was so impressed with Kevin’s security expertise, they have extended their agreement to continue to perform periodic testing. We highly recommend Kevin Beaver and Principle Logic as a resource for network security testing.”