Hi, IMO:
GPO changes should be classified based on risk: - the scope of possible issues (e.g. will it impact the domain, an OU, only a select group), - as well as the possible impact of the change (complete outage, major impact, minor inconvenience etc.). It's then fairly easy to draw up an "x by y" 2D grid: Scope of Change Large Medium Small Possible Adverse Impact High Medium Low Then you base your process around the risk weighting: * Changes that would result in a "green" box can be handled by creating an incident ticket [1] * Changes that are orange require your normal change management process * Changes that are red require CAB approval, plus some other additional review. You may have some special process, or mandatory weightings, for privileged accounts, machines etc. E.g. changes to servers that the Board (or executive) store their documents on, plus their workstations/accounts, changes to security infrastructure etc. You don't want to send every change to CAB - otherwise you'll get bogged down in every minor change (e.g. adding or removing a single site from an IE zone) Cheers Ken [1] You may want to limit these to a set of "pre-approved" standard changes. The CAB would agree to a blanket approved "change" that can then be reused for each subsequent individual change. If the change doesn't fall into a pre-approved category, it can be approved by an offline CAB From: [email protected] [mailto:[email protected]] On Behalf Of Ziots, Edward Sent: Monday, 23 September 2013 1:14 AM To: [email protected] Subject: RE: [NTSysADM] Change control....GPO +2, Defintely agree that GPO change, or modification which will impact the workstation environment, should go to change management. Z Edward E. Ziots, CISSP, CISA, Security +, Network + Security Engineer Lifespan Organization [email protected]<mailto:[email protected]> Work:401-255-2497 This electronic message and any attachments may be privileged and confidential and protected from disclosure. If you are reading this message, but are not the intended recipient, nor an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that you are strictly prohibited from copying, printing, forwarding or otherwise disseminating this communication. If you have received this communication in error, please immediately notify the sender by replying to the message. Then, delete the message from your computer. Thank you. [Description: Description: Lifespan] From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Brian Desmond Sent: Saturday, September 21, 2013 2:44 PM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] Change control....GPO +1. I've seen this pivot in highly regulated environments where the GPO affects a controlled asset/system then it's much more rigid. Thanks, Brian Desmond [email protected]<mailto:[email protected]> w - 312.625.1438 | c - 312.731.3132 From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of William Robbins Sent: Friday, September 20, 2013 10:08 PM To: [email protected]<mailto:[email protected]> Subject: Re: [NTSysADM] Change control....GPO Most of the environments I've worked in treat GPO's depending on level of impact. Domain-wide, go to Change Control processes. OU level required manager for that OU's sign off. GPO's making maintenance changes with low risk are treated the same as user account creation. HD Ticket or similar to track request and work. - WJR On Fri, Sep 20, 2013 at 9:55 PM, David Lum <[email protected]<mailto:[email protected]>> wrote: For you guys with a pretty well defined change control process - are incremental GPO changes (in this case we have a GPO that controls IE's trusted sites, I want to add enable auto logon with current credentials for sites in trusted sites) reviewed by people before the change? I'm thinking in larger environments it might be submitted by one person, reviewed and approved by another but not necessarily held until a formal change request meeting is convened? Normally I'd just whip this change out, but I need to think about the accountability process in general. David Lum Sr. Systems Engineer // NWEATM Office 503.548.5229<tel:503.548.5229>
<<inline: image001.jpg>>
