compliances

Questions for: Configuration Management and change control

December 12, 2010
  • Does the configuration management plan address identification, status accounting and audit?

  • Does the configuration management plan address the configuration of all system and configuration items?

  • Is the configuration management integrated into the structure of an organization?

  • Is there version control of all configuration items?

  • Is configuration management and version control consistent across the organization?

  • Is there a formal process to initiate, authorize, implement and approve changes?

  • Does the process describe who can initiate, authorize, implement and approve changes?

  • Does the change control procedure require a risk analysis assessment about the impact of the change?

  • Does the risk management procedure require to identify all risks as a result of change with likelihood and severity of problems?

  • Does the risk management procedure require to identify means of mitigating risk or means of recovery should the risk actually become reality?

  • Are the lists with all potential risks for network components, such switches, routers etc

  • Does the change request form include information on the current state of the device?

  • Does the change request form request information on priority?

  • Does the change request form include the intent of the change’?

  • Does the change control procedure require to evaluate the impact of the change on other network devices?

  • Are there recommendations with examples for the amount of testing after changes of network component?

  • Does the change approval form include a statement on the validation status of the networked system?

  • Is there a procedure for emergency changes?

  • Is there a system to track changes?

  • Does the change control procedure include the requirement to ‘freeze’ the configuration before the change is made such that the system can go back to this configuration in case the change causes problems?

  • Does the change control procedure require a formal documented evidence that the entire system works ‘as intended’?

  • Does the change control procedure require to update user manuals, if necessary?

  • Does the change control procedure require to update network drawings, if necessary?

  • Are status reports being generated to identify status of requests?

  • Do status reports show sufficient granularity, e.., %complete?

  • Are all changes reviewed in weekly meetings of administrators?

  • Does the organization have a formal group that is responsible for configuration management audits?

  • Is there an audit schedule?

  • Do audit include network diagrams?

  • Ongoing maintenance and control

  • Have these tasks been considered as part of on-going control?

  • Are there an infrastructure and procedures for problem reporting and resolution?

  • Is there a network configuration change management in place?

  • Are there procedures for regular network access checks

  • Are software upgrades implemented by all users in similar time frames?

  • After a change, are there tests to check the impact of change on other network components/systems

  • Are there regular back-ups?

  • Is there a risk assessment for the frequency of back-ups?

  • Are back-up and retrieval procedures validated?

  • Is there a contingency plan in case one of one or more network components fail?

  • Is there a contingency plan in case of fire or flood?

  • Are there instructions in case of malfunction of network components and system (e.g., who should be informed)?

  • Is there documented evidence on data integrity after recovery from a failures (disasters)?

  • If there are redundant components or systems, have they been validated?

  • Is there a training and user administration strategy for new users?

  • Are there procedures for regular review of network drawings?

  • Are there procedures for regular review of authorized user lists?

  • Is there annual review of security procedures and logs?

www.bestitdocuments.com