Audit and Assurance

Expand all | Collapse all

email protection and detection application - Change MGNT

  • 1.  email protection and detection application - Change MGNT

    Posted 18 Feb, 2020 06:11
    ​​I am working on an audit related to an email protection and detection application.  Risk and Control mitigation related to changes made with this type of application.

    I wanted to get an opinion from this population of auditors as to what your organizations are performing and degree related to change control and for this type of application.

    I have read a few resource but I would appreciate any feedback someone may have about this topic.  Thank you for your assistance.


    ------------------------------
    Philip Schmidt
    Lead Auditor
    ------------------------------


  • 2.  RE: email protection and detection application - Change MGNT

    Posted 20 Feb, 2020 01:53
    @Philip Schmidt

    With regard to change management of email surveillance applications:

    1.The change management documentation should include changes made to email surveillance software (protection and detection).
    2.Whether change requests are properly initiated and approved prior to implementation.
    3.Select a sample of changes made to the surveillance applications/systems to determine whether they were adequately tested and approved before being placed into a production environment. Establish if system security and surveillance controls are included in the approval process.​​
    4.Trace the sample of changes back to the change request log and supporting documentation.
    5.Evaluate procedures designed to ensure that only authorized/approved changes are moved into production.
    6.Determine if a process exists to control and supervise emergency changes (including data changes).
    7.Determine if a process exists to control and supervise emergency changes (including data changes).
    8.Determine if an audit trail of all emergency activity exists and that it is independently reviewed.
    9.Determine that procedures require that emergency changes be supported by appropriate documentation.
    10.Develop back out procedures for emergency changes.
    11.Evaluate procedures ensuring that all emergency changes are tested and subject to standard approval procedures after they have been made.
    12.Understand the involvement of surveillance management when accepting the final solution.
    13. Establish that there is a testing (staging) environment to ensure that application additions/changes do not affect email systems and applications.

    ------------------------------
    Vikram Raghuveer
    Manager-IT and internal audits
    ------------------------------