|
|
|
Features
< Back
Sarbanes Oxley : Technology : Configuration Management
Think You Can Do Without a CMDB at Audit Time? Think Again.
By
Cindy Sterling,
Peter Hill
|
|
Cindy Sterling
Program Executive for Compliance
BMC Software
|
|
Peter Hill
Director
IT Governance Network
|
An increasing number of regulations and industry standards have made doing business more complex than ever. IT organizations must achieve compliance with requirements set forth in these regulations, and be prepared to demonstrate that their efforts are working. What's more, in an effort to achieve compliance, as well as to reduce risk and work more efficiently, many IT organizations have also established internal policies that govern business processes.
To address this challenge, IT professionals are turning to a well-architected configuration management database (CMDB) as a repository for the information that is critical for reliable computer operations and which can make compliance processes easier to manage and track. Standardized industry frameworks have grown in popularity to achieve regulatory compliance and help transition to a more business-oriented approach to IT management. Two important frameworks play a key role - the IT Infrastructure Library (ITIL), which offers best practices in service management, and Control Objectives for Information and related Technology (COBIT), which provides controls for compliance. A CMDB, in turn, offers the foundation for implementing ITIL and COBIT.
The CMDB provides immediate access to information about the configuration of the IT environment and changes that have been made. It is a source of reliable, detailed, current, and historic data about your business. If it's properly federated, a CMDB can accurately substantiate your business practices against regulatory controls, so you can breathe easy during audit times. A federated CMDB is an approach that features a centralized database linked to other data stores with a common data model that carries information from one point to another, without the need to rewrite code.
CMDB - Your Central Command
Think of a CMDB as the central repository through which IT management processes in your IT infrastructure can exchange information. The CMDB is a place where disparate sources provide information about changes, releases, configuration, assets, incidents, etc. A well-architected CMDB maintains important information that helps IT understand the relationships of the components in the IT environment to the business processes they support. It identifies a set of configuration items and maintains all IT resources - technology assets, processes, and people - as configuration items. The CMDB maintains important details about those items and their relationships and helps IT address two major compliance requirements:
- Tracking and reporting
- Configuration control and verification
Tracking and Reporting
A major compliance requirement is that all activity in the IT environment that affects business processes must be tracked and reported, creating an audit trail of activity, Tracking and reporting must be done from the perspective of the business process, and in a holistic fashion that ties together all the IT processes that support the business processes.
To create compliance reports, many organizations currently use processes laden with manual procedures. The IT staff gathers data manually from a number of separate sources scattered across the enterprise, manually consolidates the data, and then manually correlates the data to business processes. This approach is inadequate for a number of reasons. It's time-consuming, labor-intensive, error-prone, and expensive.
The CMDB, in contrast, provides a single, comprehensive, and easily accessible source of tracking information for reporting purposes, eliminating the need for manual data gathering and consolidation. Through the information maintained in the CMDB, IT can understand the impact of IT processes on business processes with respect to compliance. For example it can help address the following questions:
- Has compliance of a specific business process been affected by changes made to the IT infrastructure?
- Has compliance of a specific business processes been impacted by incidents and problems that have occurred, and what was the outcome?
- Does a specific business process meet compliance with respect to data backup procedures?
- Has the migration of data used by a specific business process to another data storage device impacted compliance?
By providing automatic tracking of all pertinent IT processes, and providing the mapping of the IT processes to business processes, the CMDB can help IT reduce the cost of compliance reporting significantly.
Configuration Control and Verification
Unauthorized changes expose the organization to non-compliance. For example, the deployment of an untested patch to a server operating system opens up a security hole in a financial reporting application, which results in a non-compliance status. That's why it's critical to ensure that all changes are carefully controlled through best-practices change management processes.
Here's how the CMDB can help. The CMDB can be configured to maintain:
- A list of all people authorized to approve changes and what types of changes each person is authorized to approve
- A list of all people authorized to implement changes and what types of changes each person is authorized to implement
- A list of authorized configurations for all IT technology assets
Your change-management application can use this data to ensure that only authorized people are approving and making changes, and that they are implementing only those changes they are authorized to implement. Auto discovery capabilities can be added to the environment and used to continually monitor the IT infrastructure, updating the configuration information maintained in the CMDB and automatically recording all changes, both planned and unplanned.
The configuration management application can be used to monitor the CMDB configuration information to detect any changes, to determine whether a change has resulted in an unauthorized configuration, and to determine what business processes are affected by the changes. This continual update of the CMDB provides two important functions for compliance:
- An audit trail of all changes, planned and unplanned
- An early warning of unauthorized changes
If it detects an unauthorized configuration that results from a change, the configuration management application can restore the offending resource to an authorized configuration and record an audit trail of this restoration in the CMDB. Finally, and perhaps most importantly, the CMDB maintains a mapping of IT resources to business processes. This mapping information can be used by compliance analysis and reporting mechanisms to automatically correlate events to business processes. It permits tracking and reporting of the overall business process, automatically tying together the multiple IT processes involved in the overall business process.
By putting in place a CMDB and leveraging that foundation with IT service management applications that support ITIL best practices and COBIT controls, organizations can reduce the cost and effort of achieving and demonstrating compliance with government regulations, industry standards, and internal policies. What's more, compliance efforts can act as a catalyst and provide a foundation for the initiatives that align IT even more closely with the business.
Cindy Sterling
Program Executive for Compliance
BMC Software
Cindy Sterling, program executive for compliance, joined BMC Software in 1993 and is responsible for the execution of compliance initiatives. She has held technical and management positions at BMC supporting various product lines including job scheduling, output management, storage, application management, and identity management.
|
Peter Hill
Director
IT Governance Network
Peter Hill is an IT Governance consultant with ten years experience. He is currently a director of the IT Governance Network, a company specializing in IT Governance consulting and training. Hill has extensive experience with COBIT, having used it as the umbrella model to implement IT governance, process improvement, compliance, and manage risk activities for a number of clients. Hill has been at the forefront of information technology governance since the early 1990s. He has extensive knowledge across many of the areas within IT Governance and started working with COBIT in 1994. Recently, Hill participated as a member of the COBIT 4.0 development team. He has contributed to a number of publications on IT governance and COBIT.
|
|
|
|
|
