A friend and I were imagining the following hypothetical situation: somebody performs a change to a network service which subsequently (let’s presume it’s business critical) is out of action for an extended period of time as a result. Documented change control processes were not followed. Is this a security incident?
My answer: yes it is. It’s non-malicious but in effect it’s a denial-of-service incident that could impact on the company’s ability to function. So, there is an operational cost impact. In addition, the fact that the proper change process wasn’t followed means that numerous different bits of corporate compliance are likely to be called to question. We could also call to question business continuity processes and wonder how many other unauthorised changes have occured prior to the event.
An opposing view is that it’s a management – and disciplinary – issue not requiring the input of the security team.
Which side of the fence are you? Anyone?