Enterprise Firewall request for Change management

Lots of people ask us how do we insure we have up to date firewall policy. we say insure you have a review policy in place so every 6 months you do this: 

Firewall Rule Policy Request change Procedure for Organization X and Remote location.

Summery

IT management and staff at Organization X are authorized to manage the wired and wireless networks at the X Location’s and COLO.

IT and IS systems utilize firewalls based on layer 7 firewalls; in many locations to protect these networks from disruption, intrusion, and other cyber threats posed by a lasting connection to the Internet and its inter LAN connection within ORGX and its remote offices.

Purpose

The purpose of this procedure is to:

• Manage the deployment and configuration of firewalls at the Organization X and remote locations, located in 25+ sites.
• Enforce the security of ORGX’s information and electronic communications resources.
• Prevent the possible intrusion of ORGX networks from unauthorized users.

Scope

This process applies to all firewalls at Organization X and its remote offices. This standard does not apply to firewalls deployed by independent agents or any personal agent’s machines.

Process

Firewall rule changes are usually requested by computer support team (HELPDESK) or IT managers for their network subnet and approved by their supervisor or authorized experience contractor. 

All firewall rule change requests must follow the above figure layout:

1. Require a predefined lead time to be applied.
2. Must include the following information:
1. Source and destination addresses, including IP's and domain names (where applicable).
2. Source and destination ports requested to be open.
3. Date when the change is required.
4. An explanation or reason why the change is needed.( example .. ICloud is not working for Agent X, and he needs this service.).
3. Will be evaluated to ensure that they conform to current IT security standards and best practices and will be denied if they do not meet current these standards.
4. Will be subjected to weakness testing by IT Information Security and an outside contractor.
5. If approved, will be scheduled to be implemented according to IT Management procedures.
6. Approval must have 2 IT personals. 1 from ORGX Helpdesk main staff and one from the outside contracted it staff or a senior IT staff. This to insure full integrity of policy implementation.
7. Documentation and Backup. After the changes are made, the changes must be documented and e-mailed to all IT staff, and the current firewall configuration must be backed-up before and after the changes. The backup will also be saved to the local IT staff shared drive.

Exceptional Circumstances

Deployed firewall rules will be re-evaluated over time and may be canceled if security requirements change in the future.  

Emergency firewall rule change requests must be approved by IT management. But can bypass the above process to fix a major limitation in the network. Or for example to stop a DDOS attack or a virus threat.