FIDP-06

Is authority for firewall change approval documented? Please list approver names or titles in Additional Info.

Explanation

This question is asking whether your organization has a formal, documented process for approving changes to firewall configurations, and specifically who has the authority to approve such changes. Firewalls are critical security controls that regulate network traffic between different network segments (like between the internet and your internal network). Changes to firewall rules can significantly impact your security posture - opening incorrect ports or allowing traffic from unauthorized sources could create security vulnerabilities. The question is being asked in a security assessment because: 1. Change management for critical security infrastructure is a fundamental security practice 2. Proper authorization ensures that firewall changes are necessary and properly vetted 3. Documentation of approval authority creates accountability and an audit trail 4. It helps prevent unauthorized or ad-hoc changes that could weaken security To best answer this question: 1. Confirm whether you have a documented process for firewall change approvals 2. Identify the specific roles or individuals who have authority to approve firewall changes 3. Be prepared to provide evidence of this documentation if requested 4. In the 'Additional Info' section, list the names or titles of those with approval authority Even if you outsource firewall management to a third party, you should still have internal approval processes for requesting changes to your provider.

Example Responses

Example Response 1

Yes, our organization has a documented firewall change approval process as part of our Change Management Policy (CMP-12) All firewall changes require formal approval before implementation Additional Info: Firewall changes must be approved by at least one of the following: Chief Information Security Officer (CISO), Network Security Manager, or the IT Infrastructure Director Emergency changes may be implemented with verbal approval from any of these authorities, followed by formal documentation within 24 hours.

Example Response 2

Yes, we maintain a documented firewall change management procedure (SOP-NET-003) that requires multi-level approval for all firewall rule modifications Additional Info: Firewall changes require technical review by the Network Security Engineer and final approval from either the Director of IT Operations (Jane Smith) or the Information Security Manager (Robert Johnson) All approvals are tracked in our ServiceNow change management system with appropriate documentation retained for audit purposes.

Example Response 3

No, we do not currently have a formally documented process for firewall change approval Our network administrator implements firewall changes as needed based on business requirements Additional Info: While we recognize this as a gap in our security controls, we are in the process of developing a formal change management procedure that will include documented approval authorities for firewall changes We expect to have this implemented within the next 60 days as part of our security program maturation efforts.

Context

Tab
Infrastructure
Category
Firewalls, IDS, IPS, and Networking

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron