Search
Topics
  Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· FAQ
· Feedback
· Forums
· Search
· Statistics
· Surveys
· Top
· Topics
· Web Links
· Your_Account

Current Membership

Latest: VJYL
New Today: 46
New Yesterday: 175
Overall: 130785

People Online:
Visitors: 74
Members: 3
Total: 77 .

Languages
Select Interface Language:


Major ITIL Portals
For general information and resources, ITIL and ITSM World is the most well known for both ITIL and ITIL Books. A shorter snapshot approach can be found at ITIL Zone

Related Resources
Service related resources
Service Level Agreement
Outsourcing

Note: ITIL is a registered trademark of OGC. This portal is totally independent and is in no way related to them. See our Feedback Page for more information.


The Itil Community Forum: Forums

ITIL :: View topic - 3rd Party Changes to Infrastructure
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

3rd Party Changes to Infrastructure

 
Post new topic   Reply to topic    ITIL Forum Index -> Change Management
View previous topic :: View next topic  
Author Message
Shiner3lima
Itiler


Joined: Apr 16, 2007
Posts: 21

PostPosted: Thu May 03, 2007 9:48 pm    Post subject: 3rd Party Changes to Infrastructure Reply with quote

A question for the forum.

What would be the Change Control policy to control the use of VPN tokens for use by 3rd Party service providers?

I am trying to introduce a new method of controlling the access to our infrastructure by comms and network providers and some software houses who have been allowed to remedy problems to their services by use of a VPN token. I want to centrally govern the use of these tokens but in some cases the ability to fix a problem quickly out of hours does enable me to ensure there is very little disruption. However, I feel that any disruption to service should not overcome the issues of security.

There is a very real point of using common sense here. As it seems to me that although the distributing of tokens to 3rd parties has been allowed to happen in the first place, I think I should advance a policy that puts me back in control of who is connecting to my network by restricting this type of access.

I would be very interested to hear from anyone who might have had this same problem in the past and has introduced a similar policy.

Does anyone out there have a solution in place that makes this issue null and void?

Regards,
AndyW.
Back to top
View user's profile Send e-mail
jpgilles
Senior Itiler


Joined: Mar 29, 2007
Posts: 123
Location: FRance

PostPosted: Thu May 03, 2007 10:18 pm    Post subject: Reply with quote

I would separate the issue in 2 pieces:

1) Security Management: determine who, when and how people are allowed to get remotely conected as well as for what purpose. Most important: how to log their connections and actions.

2) Change Management: your process should have planned for Emergency Changes that are implemented first, documented and replicated in your CMDB afterwards.
The point you are probably missing is how to handle the ECC (Emergency Change Committee) in such cases: whatever the nature, impact and urgency of the problem to be solved , NO change (even urgent) should be made without being formally authorized. You probaby need to introduce an Emergency Change Manager on-call schedule to cover all cases.

Ideally (you need to see how it can be implemented from a technical and organizational point of view) access to those 3rd parties shoud only be granted under authorization of the change manager.

I know it can seem a little bit heavy, but you can really jeopardize your operations if people are allowed to connect and make chances overnight as they think is appropriate without proper control, especially if people coming in the next morning might not be aware of the changes... The whole purpose of change management (to me) is to avoid this type of situations...

Hope it can help...

b.r.
JP
_________________
JP Gilles
Back to top
View user's profile Send e-mail
Shiner3lima
Itiler


Joined: Apr 16, 2007
Posts: 21

PostPosted: Thu May 03, 2007 11:08 pm    Post subject: 3rd Party Changes to Infrastructure Reply with quote

Thanks JP. As the Change Control Manager it is my responsibility
to ensure that any changes to my infrastructure are controlled. These guys are able to do what they want, when they want, right now.
It may mean I get a call at 2am but I would rather that than find out
someone logged in maliciously and trashed our network.

Thanks again,

AndyW.
Back to top
View user's profile Send e-mail
Globis
Itiler


Joined: Apr 17, 2007
Posts: 36
Location: Cape Town

PostPosted: Thu May 03, 2007 11:24 pm    Post subject: Reply with quote

Quote:
As it seems to me that although the distributing of tokens to 3rd parties has been allowed to happen in the first place, I think I should advance a policy that puts me back in control of who is connecting to my network by restricting this type of access


It is only common sense to have a security policy, but unless you are responsible for corporate security, it should not be you that defines policy. Of course you can help make policy though the very common sense suggestions you have made, but do not fall into the trap of defining policy in a vaccuum, because if something does go wrong you are setting yourself up to be the fall guy.

Quote:
What would be the Change Control policy to control the use of VPN tokens for use by 3rd Party service providers?


You need to seperate policy definition and policy implementation here.

It is not up to Change Control to define security policy, that will be done by your security organisaton (see BS7799). It is up to change control to ensure that those policies are implemented correctly in change management.

So you should have the following:
    A corporate security policy that e.g. allows 3rd parties onto your infrastructure for certain tasks under certain conditions (which should include a risk analysis).
    A 3rd party access architecture that describes in high-level (not technical) detail how the solution is defined.
    A technical solution (design) that implements managed 3rd party access.
    A 3rd party access agreement which details what that 3rd party on your infrastructure may and may not do. This agreement should be signed by each and every 3rd party that accesses the infrastucture.
    A Service level description, OLAs and SLA defining the service.
    A workflow defined for the change process.
    etc.

Whether the changes are implemented as delegated service requests that do not need CAB authorisation, or require CAB yes/no is up to your environment. But the point is that the change process ensures that the security policy is correctly implemented.

Finally any 3rd party that can access your infrastructure to perform some sort of service support must follow the same incident & change processes as the rest of your organisation if that service is under change control.

And don't forget to put an end date on the 3rd party access change record, i.e. unless renewed the access is automatically revoked.

Dave
Back to top
View user's profile
Ed
Senior Itiler


Joined: Feb 28, 2006
Posts: 411
Location: Coventry, England

PostPosted: Thu May 03, 2007 11:28 pm    Post subject: Reply with quote

Hi Andy

As a Change Manager myself, I feel your pain.

If you are unable to take control of your tokens, then it comes back to old fashioned trust.

You trust all your techies to abide by the Change Management Policy, or you hit them with a big stick.

What is the difference between your techies and the 3rd party ones?

We have agreements from our 3rd Party engineers that they will abide by our CM processes or we go after them, just as we would for our own.

As JP has said Retrospective completion of Emergency Out of Hours Changes has to be allowed for. The alternative is just not tenable.

It comes down to trusting these engineers that what they are doing is needed now.

I hope this helps

Regards

Ed
Back to top
View user's profile
Shiner3lima
Itiler


Joined: Apr 16, 2007
Posts: 21

PostPosted: Thu May 03, 2007 11:49 pm    Post subject: 3rd Party Changes to Infrastructure Reply with quote

Thanks Ed. I think Dave's point about the security policy is right. I cannot create the policy only enforce it. But right now, no one is looking at these things to create policy on. On the subject of trust. I can't get to grips with that one. I don't trust them. It is too easy for them to say they forgot about the process. What I dont want to do though, is put myself in the target area. It is not an easy one really.

AndyW.
Back to top
View user's profile Send e-mail
Ed
Senior Itiler


Joined: Feb 28, 2006
Posts: 411
Location: Coventry, England

PostPosted: Fri May 04, 2007 12:26 am    Post subject: Reply with quote

Andy

I know what you mean. All you can do then is educate, educate, educate, and then use your big boots - That is your job. You are the gatekeeper for the environment - you have to be prepared to stand up and say No!

I have in the past had very stern meetings with everyone at a 3rd party to ensure that they knew they had to comply.

Do you not have a contract with them. You should have an underpinning contract with them that give you some teeth!

The trust comes later if they really are cowboys.

Have their company agreed to conform to your processes? If so approach their bosses or your Customer Service Manager from their company. Get nasty politely. apply as much pressure on him/her as you can. Let him fight your battles for you.

Or are you saying that whoever wrote the contract from your company has left you without any recourse?

Regards

Ed
Back to top
View user's profile
Globis
Itiler


Joined: Apr 17, 2007
Posts: 36
Location: Cape Town

PostPosted: Fri May 04, 2007 12:59 am    Post subject: Reply with quote

There is always a degree of trust involved, otherwise very little would ever get done. However, at the same time you need to know if that trust is being exploited, therefore you have incident and change management so you can track these things.

Ed is absolutely right in that there should be an underpinning contract that governs the scope of activities of the 3rd party, and a signed 3rd party access agreement that makes your trust a little more easily granted!

Of course as change manager you can simply refuse to allow any changes implemented until these issues are sorted out. But be prepared for pain, suffering and hassle; and be careful as this is brinkmanship and depending on the importance of the services the 3rd parties manage, dangerous.

However, the usual -safer- corporate way to do this is to email everyone and his auntie about your 'grave concerns of potential security disasters', and desperately search for a suitable person/dept to push the problem onto. Then implement whatever controls you see fit whilst saying that you are waiting for the definitive policy from the aforesaid sucker whose problem it now is.
Back to top
View user's profile
jpgilles
Senior Itiler


Joined: Mar 29, 2007
Posts: 123
Location: FRance

PostPosted: Fri May 04, 2007 3:07 am    Post subject: Reply with quote

Globis wrote:
However, the usual -safer- corporate way to do this is to email everyone and his auntie about your 'grave concerns of potential security disasters', and desperately search for a suitable person/dept to push the problem onto. Then implement whatever controls you see fit whilst saying that you are waiting for the definitive policy from the aforesaid sucker whose problem it now is.


That sounds like some valuable real life experience!!!

I can just re-inforce how true it is .... As one of my former managers said: "if you can't fix the problem that you need to be fixed , make sure you are not (seen as) the problem or somebody else will fix it (you)! "
_________________
JP Gilles
Back to top
View user's profile Send e-mail
Display posts from previous:   
Post new topic   Reply to topic    ITIL Forum Index -> Change Management All times are GMT + 10 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.8 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops 2003 http://www.nukecops.com

Forums ©

 

Logos/trademarks property of respective owner. Comments property of poster. Rest 2004 Itil Community for Service Management & Foundation Certification. SV
Site source copyright (c)2003, and is Free Software under the GNU / GPL licence. All Rights Are Reserved.