Hypothetical situation: security incident or not?

A friend and I were imagining the following hypothetical situation: somebody performs a change to a network service which subsequently (let’s presume it’s business critical) is out of action for an extended period of time as a result. Documented change control processes were not followed. Is this a security incident?

My answer: yes it is. It’s non-malicious but in effect it’s a denial-of-service incident that could impact on the company’s ability to function. So, there is an operational cost impact. In addition, the fact that the proper change process wasn’t followed means that numerous different bits of corporate compliance are likely to be called to question. We could also call to question business continuity processes and wonder how many other unauthorised changes have occured prior to the event.

An opposing view is that it’s a management – and disciplinary – issue not requiring the input of the security team.

Which side of the fence are you? Anyone?

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

I would say it's an incident. Malicious or not, it represents a serious compromise of network infrastructure. It's likely that other changes have also gone ahead without following process so there's a lot of follow up audit work to be done.
Yes, it's a security incident. > Documented change control processes were not followed. The operative word here is "control". Because the procedures were not followed, "control" was lost (albeit that the "rules" here are a more relaxed, permissive form of corporate control). Imagine that a notional percentage "x" of technical staff occasionally or always ignore the change control rules, such that the incidence of adverse outcomes exceeds another notional "acceptable" level "y" of such adverse outcomes - remember, we've already described the outcome here as a business-critical loss of network service. A company losing control of its change processes to that extent might even attract criminal or civil sanctions as a direct or indirect consequence. So if it can threaten the corporate entity to that extent, it's a security issue.
Incident. But I'd bet that the security team would be the last to find out...
My vote is for an administrative incident with security ramifications. I don't believe an accidental denial of service instigated by an authorized but improperly conducted change warrants the response that a security incident would produce.