Rules tied to a business owner / ticket
Demonstrate that all active network and firewall rules are traceable to approved business owners and documented change tickets, ensuring accountability and justification for network access permissions.
Description
What this control does
This control requires that firewall rules, access control lists, network security group rules, and similar network policy configurations be linked to identifiable business owners and tracked via formal ticketing systems (e.g., ServiceNow, Jira, Remedy). Each rule must reference a business justification, responsible party, and originating change request or approval ticket. This ensures accountability, facilitates periodic reviews, and prevents orphaned or undocumented rules that create security blind spots. Enforcement typically occurs through change management workflows that reject rule creation without proper ticket references and ownership metadata.
Control objective
What auditing this proves
Demonstrate that all active network and firewall rules are traceable to approved business owners and documented change tickets, ensuring accountability and justification for network access permissions.
Associated risks
Risks this control addresses
- Orphaned firewall rules remain in place after business need expires, expanding attack surface unnecessarily
- Unauthorized or undocumented network access is granted without formal approval or audit trail
- Insider threats exploit untracked rules that bypass normal change control and accountability mechanisms
- Incident response teams cannot identify rule owners or business context during security events, delaying containment
- Compliance violations occur due to inability to demonstrate who authorized specific network access paths
- Technical debt accumulates as legacy rules persist without ownership or review, complicating migrations and upgrades
- Regulatory audits fail when auditors cannot trace network permissions to authoritative business justifications
Testing procedure
How an auditor verifies this control
- Obtain a complete export of all active firewall rules, ACLs, and network security policies from production environments, including metadata fields for owner, ticket reference, and creation date.
- Select a representative sample of 25-30 rules spanning different network zones, device types, and rule ages, ensuring inclusion of recently added and older legacy rules.
- For each sampled rule, verify the presence of a business owner field populated with a valid employee or department identifier.
- Cross-reference each rule's ticket identifier against the change management system to confirm the ticket exists, was approved, and matches the rule's scope and justification.
- Interview or survey business owners listed for a subset of rules to confirm they acknowledge ownership and can articulate current business justification.
- Review the organization's change control procedures and firewall rule management policies to verify mandatory requirements for owner assignment and ticket linkage.
- Identify any rules missing owner or ticket metadata, and trace their origin through configuration logs, change history, or interviews with network administrators.
- Test the enforcement mechanism by attempting to create a test rule without proper ownership or ticket reference, verifying that automated controls or workflows reject the submission.
Where this control is tested