Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

ISO/IEC27000: Change Control Management

by Megan Daudelin
June 20, 2016

ISO/IEC27000: Change Control Management

As changes to devices, policies, files, and folders occur on a daily basis, many organizations often lose track of changes that can leave a network vulnerable to attack. The smallest change can lead to system outages, data loss, and can add unwanted security risks and increased costs for an organization. The ISO/IEC27000 Change Control Management dashboard can assist the organization in monitoring device, software, and network change control events.

The ISO/IEC 27002:2013 framework is a global security standard that provides best practice solutions in support of the controls found in Annex A of ISO/IEC 27001:2013. The framework establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management systems (ISMS). Each of the security controls and objectives provided within the standard can be tailored to specific business and regulatory objectives and assist with maintaining overall compliance. This dashboard focuses on the ISO/IEC 27002 12.1.2 and 12.5.1 controls that will identify any change control or configuration events on a network.

Proper change control management allows organizations to be aware of changes in their environment, understand potential impacts, and achieve business goals without unnecessary delay. Both authorized and unauthorized changes to a network device, software, file, or folder can impact user access to systems and result in loss of integrity. Without change control procedures in place, changes can be made without management’s knowledge, formal risk assessment, or approval.

The components in this dashboard provide a comprehensive view of change events using the Log Correlation Engine (LCE). LCE provides information on normalized events for device changes, software modifications, file and directory changes, and statistical indicators. Statistical event indicators use keywords to identify normalized event logs that the analyst should review further, including service changes, user activity, and suspicious activity. Changes on network devices will provide the analyst with targeted information, which can be used to strengthen change control management procedures.

The dashboard and its components are available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The dashboard can be easily located in the Tenable.sc Feed under the category Compliance & Configuration Assessment. The dashboard requirements are:

  • Tenable.sc 5.3.1
  • LCE 6.0.0

Tenable provides continuous network monitoring to identify vulnerabilities, reduce risk and ensure compliance. Our family of products includes Tenable.sc Continuous View (CV), Nessus, NNM and LCE. Tenable.sc CV performs log normalization from hundreds of unique data sources. LCE performs automatic discovery of users, infrastructure, and vulnerabilities across more technologies than any other vendor including operating systems, network devices, hypervisors, databases, tablets, phones, web servers and critical infrastructure.

This dashboard contains the following components:

  • Daily Usage Summary - Configuration Changes: This component collects the top 10 configuration changes. Adding a new user account into Windows, changing a firewall rule, or installing new software may generate these events. Networks are always evolving and constantly require changes. Tenable.sc Continuous View (Tenable.sc CV) customers can detect these changes by monitoring LCE and syslog events. NNM can alert in real-time when new hosts are discovered. This component refreshes hourly and should be monitored throughout the workday.
  • ASD Top 4 Mitigation Strategies - Software Modification Events: This component provides an indicator for file changes or modification events collected from systems with LCE Clients installed, or from systems where syslogs are collected. For each indicator, when a pattern match is found, the indicator will turn purple. Some of the event indicators in the matrix are application changes, a Windows executable file has changed, and UNIX library file changes. The indicators of this component provide system administrators with a central location to monitor for authorized or unauthorized software execution, installation, or changes. Regardless of if the software is downloaded from the internet or a USB drive, LCE Client software can log the application events. When configured appropriately, whitelisting can help prevent unauthorized intruders from modifying or adding software to secure servers or workstations.
  • File Integrity Monitoring - File and Directory Change Event Details - Past 7 Days: The File and Directory Change Event Details – Past 7 Days table lists the events related to file changes detected in the past 7 days by count. This table uses the Normalized Event Summary tool and filters based on the keyword “File” and the “detected-change” type. The data in this table can be useful in determining the most common file change events and where they originate.
  • Stats Summary - Stats Indicators: This dashboard component shows the 40 different types of anomalies that the statistics daemon monitors. If there is one or more events for each of the anomalies monitored, it will be indicated in this component.
  • CSF - Network Changes: This component displays a list of network changes over the last 72 hours. There are several normalized event types presented that detect changes from servers, database, and infrastructure devices. Many of these detected changes are additions to the network, such as new hosts, new software, policy and security settings changes, and new open ports. Any new additions or changes should be investigated to determine if they are authorized. To obtain additional information, the analyst can click on any of the normalized events.
  • CSF - Top Detected Changes (Last 72 Hours): This table displays the top change events detected on the network in the last 72 hours. The table is sorted so that the changes detected most often are at the top. This table can be used by an analyst to investigate recent network changes and determine if they are appropriate and authorized. Clicking on the Browse Component Data icon will bring up the event analysis screen to display all of the detected change events and allow further investigation. In the analysis screen, clicking on a particular event will display all occurrences of that event. Setting the tool to IP Summary will display the systems on which the events occurred. Setting the tool to Raw Syslog will display the raw syslog of the events, which can give more details.
Try for Free Buy Now

Try Tenable.io


Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning


Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.



Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security


Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin


Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.