FIDP-02

Do you have a documented policy for firewall change requests?

Explanation

This question is asking whether your organization has a formal, documented policy that governs how changes to firewalls are requested, approved, implemented, and documented. Firewalls are critical security controls that regulate network traffic between different network segments based on predetermined security rules. Changes to firewall configurations can have significant security implications - a misconfiguration could inadvertently expose sensitive systems to unauthorized access or attacks. The question is being asked in a security assessment because proper change management for firewalls is essential for maintaining a strong security posture. Without a documented process, firewall changes might be made haphazardly, without proper review, testing, or documentation, potentially introducing security vulnerabilities. A documented firewall change request policy typically includes: 1. A formal process for requesting changes (who can request, what information must be provided) 2. Review and approval workflows (technical review, security review, management approval) 3. Risk assessment procedures for proposed changes 4. Testing requirements before implementation 5. Implementation procedures (timing, verification) 6. Documentation requirements (what was changed, why, by whom, when) 7. Emergency change procedures for urgent situations To best answer this question, you should indicate whether you have such a policy, briefly describe its key components, how it's enforced, and how frequently it's reviewed. If possible, mention how this policy fits into your overall change management or security governance framework.

Example Responses

Example Response 1

Yes, our organization maintains a comprehensive Firewall Change Management Policy as part of our overall IT Change Management framework The policy documents the entire lifecycle of firewall changes, including request submission via our ticketing system, required approvals from both network and security teams, pre-implementation risk assessment, testing procedures in our lab environment, implementation windows, post-change verification, and documentation requirements The policy also includes an expedited process for emergency changes with appropriate compensating controls All firewall changes are logged, and the policy itself undergoes annual review and is accessible to all IT staff through our internal documentation portal.

Example Response 2

Yes, we have implemented a formal Firewall Change Request Policy that governs all modifications to our network security infrastructure Our policy requires all change requests to be submitted through our ServiceNow platform with detailed justification, business impact, and technical specifications Each request undergoes a multi-tier approval process involving the requester's manager, network operations, and the security team Changes are categorized by risk level, with higher-risk changes requiring additional scrutiny and testing All changes are implemented during scheduled maintenance windows unless classified as emergency changes, which follow a separate but equally rigorous expedited process Our policy is reviewed quarterly and was last updated six months ago to incorporate cloud firewall management procedures.

Example Response 3

No, we currently do not have a formally documented policy specifically for firewall change requests Our firewall changes are handled through verbal requests to our network administrator, who implements changes based on business needs While we do maintain a log of changes in our firewall management console, we recognize this is a gap in our security processes We are in the process of developing a comprehensive change management policy that will include specific procedures for firewall changes, with expected completion within the next quarter In the interim, we've implemented compensating controls including weekly firewall rule reviews and quarterly security assessments of our network configurations.

Context

Tab
Infrastructure
Category
Firewalls, IDS, IPS, and Networking

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron