Re: Firewall Changes through Change Management

["Menne, Michael S" <000002306ce3cd04-dmarc-request () LISTSERV EDUCAUSE EDU>]

Change Management is mostly a communication and documentation function for us.  It’s an advisory body and not 
necessarily an approval body.

We have Emergency, Informational, Normal, and Standard Changes.  Changes that are performed frequently with known risks 
(usually low risk)  and outcomes can be processed as Standard changes.  Standard changes for us require no approval by 
the CAB and can be performed with a 24 hour notice. Standard Changes have to be proposed as a Standard Change and are 
voted on by the CAB through the Normal Change process.  Informational changes are changes outside of our control 
(example: Office 365 changes that may have a significant impact on our users).

Firewall changes that are routine and low risk could be a Standard Change in our environment.  Standard Changes are 
templated so they can be submitted quickly.  We hold CAB meetings twice a week. Standard changes are reviewed, but not 
discussed in detail or voted on.


Michael Menne, CISSP
Chief Information Security Officer
IT Solutions Information Security
Minnesota State University, Mankato
Phone:  (507) 389-5705
Cell: (507) 405-0717
https://mankato.mnsu.edu/cyberaware

[signature_1415841060]

Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended 
recipient(s) and may contain confidential and privileged information.  Any unauthorized review, use, disclosure or 
distribution is prohibited.  If you are not the intended recipient, please contact the sender by reply e-mail and 
destroy all copies of the original message.



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "Kimmitt, 
Jonathan" <jonathan-kimmitt () UTULSA EDU>
Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Tuesday, May 4, 2021 at 9:42 AM
To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Firewall Changes through Change Management

Hi all,

  We are in discussions of how to include border firewall changes in the change management process…..

Whether to require change management for any rule changes, and conduct during our weekly maintenance windows…..  or 
open it up and allow changes anytime during the week as is requested by Networking/Systems….

I was curious to how other .edu’s do it in their environments?

-Jonathan



~
Jonathan Kimmitt
CISSP, FIP, CDPSE, CIPP/E, CIPM, CIPT,
OTCP,GLEG, GPEN, GSNA, PCIP, CEH
Chief Information Security Officer
Information Technology
The University of Tulsa
jonathan-kimmitt () utulsa edu
918.631.2743


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cmichael.menne%40MNSU.EDU%7C34086a31bc824bed537208d90f0ad973%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637557361539342092%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=QU8POF79Q%2FcbunE0I%2FkRHBpTOofN0fO3oWcmHpk9KGU%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community