Is authority for firewall change approval documented? Please list approver names or titles in Additional Info.
Explanation
Reviewers want documented accountability for firewall changes, including a formal approval process and a clear record of who holds the authority to approve them.
Firewalls are critical security controls that regulate network traffic between different network segments (like between the internet and your internal network). Changes to firewall rules can significantly impact your security posture - opening incorrect ports or allowing traffic from unauthorized sources could create security vulnerabilities.
The question is being asked in a security assessment because:
- Change management for critical security infrastructure is a fundamental security practice
- Proper authorization ensures that firewall changes are necessary and properly vetted
- Documentation of approval authority creates accountability and an audit trail
- It helps prevent unauthorized or ad-hoc changes that could weaken security
To best answer this question:
- Confirm whether you have a documented process for firewall change approvals
- Identify the specific roles or individuals who have authority to approve firewall changes
- Be prepared to provide evidence of this documentation if requested
- In the 'Additional Info' section, list the names or titles of those with approval authority
Even if you outsource firewall management to a third party, you should still have internal approval processes for requesting changes to your provider.
Example Responses
Example Response 1
Yes, our organization has a documented firewall change approval process as part of our Change Management Policy (CMP-12) All firewall changes require formal approval before implementation Additional Info: Firewall changes must be approved by at least one of the following: Chief Information Security Officer (CISO), Network Security Manager, or the IT Infrastructure Director Emergency changes may be implemented with verbal approval from any of these authorities, followed by formal documentation within 24 hours.
Example Response 2
Yes, we maintain a documented firewall change management procedure (SOP-NET-003) that requires multi-level approval for all firewall rule modifications Additional Info: Firewall changes require technical review by the Network Security Engineer and final approval from either the Director of IT Operations (Jane Smith) or the Information Security Manager (Robert Johnson) All approvals are tracked in our ServiceNow change management system with appropriate documentation retained for audit purposes.
Example Response 3
No, we do not currently have a formally documented process for firewall change approval Our network administrator implements firewall changes as needed based on business requirements Additional Info: While we recognize this as a gap in our security controls, we are in the process of developing a formal change management procedure that will include documented approval authorities for firewall changes We expect to have this implemented within the next 60 days as part of our security program maturation efforts.
Context
- Tab
- Infrastructure
- Category
- Firewalls, IDS, IPS, and Networking
Related questions
- Are you utilizing a stateful packet inspection (SPI) firewall?
- Do you have a documented policy for firewall change requests?
- Have you implemented an intrusion detection system (network-based)?
- Do you employ host-based intrusion detection?
- Are audit logs available for all changes to the network, firewall, IDS, and IPS systems?
- Have you implemented an intrusion prevention system (network-based)?

