Security review of changes
A formal change management process is not only a requirement for many regulatory and standards bodies, but in general a good practice of due diligence. In the typical implementation of change management there is a process followed to ensure all affected parties are aware of a planned change. This allows the various business units and IT to fully understand impact and properly set the risk level for the change. What happens many times though is the security team is not made aware of the changes in the environment. Sometimes this lack of review is due to reducing the workload for the team and not overburdening them with reviewing countless changes. This can be a serious misstep because teams may not be aware that a change has security implications.
Another issue is intentional bypassing of security because security is seen as a road block. Information security should be involved in changes that affect the security posture of the enterprise, introduce risk, involve...
