Pau Lo
asked on
Change control policy testing in windows environment
What kind of things in a windows environment, i.e. users/computers/servers/AD would typically go through "change control"?
90% of our IT service is outsourced - and we dont have a documented change management policy.
However - if for example we want a new user setting up - it can be logged as a service request - but it needs approval from either our in house IT managers before it is ok'd and the 3rd party can set them up in AD. Does that constiture effective change control?
Do we need a documented policy if our call logging system enforces approval?
WHeres the risk of us not having an internal change control documented policy?
And what other areas in windows could we test to see certain activities went through change control?
90% of our IT service is outsourced - and we dont have a documented change management policy.
However - if for example we want a new user setting up - it can be logged as a service request - but it needs approval from either our in house IT managers before it is ok'd and the 3rd party can set them up in AD. Does that constiture effective change control?
Do we need a documented policy if our call logging system enforces approval?
WHeres the risk of us not having an internal change control documented policy?
And what other areas in windows could we test to see certain activities went through change control?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
How does approval fit in with change management.
For example you say:
Things that won't be included include:
Creating of a new user
What if a department request a new in a sensitive network - does that just get approved - or does it have to go through some approval from management/IT before its setup? Does that sort of scenario not fall under change management?
For example you say:
Things that won't be included include:
Creating of a new user
What if a department request a new in a sensitive network - does that just get approved - or does it have to go through some approval from management/IT before its setup? Does that sort of scenario not fall under change management?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So in a nutshell change control is not neccesary for setting up a new security group or a new domain user account?
New Security Group: yes because this has security implications
new domain user: no as this does not have security implications
new domain user: no as this does not have security implications
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER