|
|
|
Features
< Back
Sarbanes Oxley : Technology : Acquisition Cost
Proving Control of the Infrastructure
The need for independent detective controls within Change and Configuration Management
By
Rob Warmack
|
|
Rob Warmack
Senior Director of Marketing
Tripwire
|
In virtually every industry, the success of an organization is inextricably linked to the reliability, availability and security of its Information Technology. Consequently, IT management must identify and analyze the relevant risks facing its production environment and then put controls in place to prevent, detect and correct them. Not only are these controls required for effective management, they are also good for business and fundamental to meeting regulatory compliance requirements.
Although security often gets the spotlight, the much greater risks to the organization are system reliability and availability issues. Gartner asserts that ?80 percent of unplanned downtime is caused by people and process issues, including poor change management practices, while the remainder is caused by technology failures and disasters.? IDC cites similar findings that indicate that operator error is the single largest source of outages causing nearly 60 percent of overall infrastructure downtime.
Getting Control
Driven by Sarbanes-Oxley legislation and a growing list of other regulations, IT management is quickly coming to appreciate both the importance of internal process control to the organization at the highest levels, as well as the significant effort required to continually prove that internal process controls are both in place and effective. Likewise, the audit industry is working to provide IT management open control frameworks, such as Control Objectives for Information and related Technology (COBIT) and ISO17799, to help identify, document and evaluate IT controls.
In the language of audit, high performing IT organizations must have internal process controls to mitigate the inherent risks of change. Internal process controls are policies, procedures, and practices put in place to ensure that business objectives are achieved and risk mitigation strategies are carried out.
According to the Institute of Internal Auditors, there are three categories of internal process controls, all of which are relevant to change management:
? Preventive Controls ? controls that define the roles and responsibilities, processes, and policies intended to manage change management risks;
? Detective Controls ? controls that automatically track and reconcile production changes, and detect when preventive controls fail, and;
? Corrective Controls ? controls that provide recovery mechanisms to mitigate the impact of failed changes.
These three controls are independent of one another and must provide verifiable evidence proving that not only that each control exists, but that the controls are effective against identified risks.
Though IT organizations vary in sophistication, most are likely to have some preventive controls in place to define change management and security policies. For instance, they may have policies that require changes to be formally requested, approved and tested before deployment. From a security perspective, effective perimeter defenses and identity management tools and technologies are expected to be in place to maintain a defensible barrier around the network.
However, merely having preventive controls is not enough: Without the balance and enforcement of a detective control, preventive processes are easily circumvented or simply ignored. Unintended and unauthorized changes made to production infrastructure go unchecked and often result in unplanned downtime. Likewise, it is possible for malicious changes to either penetrate the security perimeter or originate from within the organization unnoticed to only be discovered after IT service is impacted. And if a failure in a preventive control goes undetected, corrective actions aren?t likely to be triggered until the failure becomes visible throughout the organization.
A detective control serves as a tripwire that discovers the failure or circumvention of preventive controls and alerts IT or triggers associated processes to take corrective action. To be effective against the increasing volume of changes, a detective control must cover the breadth of the infrastructure and independently discover change made by any source. By reconciling desired changes and exposing those that are undesired, an effective detective control automatically audits change and provides IT managers and auditors comprehensive, meaningful reports of change activity.
Defining Automated Change Auditing
Change auditing isn?t a new concept. Manual inspections and custom scripts are commonly used to verify that changes are made correctly. However, several trends create very real challenges for IT: the growing volume of changes driven by the business, the increased rate of change driven by automated change deployment technologies (e.g., patch management and software distribution), and the inability to manually reconcile these changes to authorized work orders. Consequently, the majority of changes?and the integrity of the change management process?is simply assumed to be properly managed.
To auditors and a growing number of IT executives, ?management by good intentions? is unacceptable. On-the-fly modifications, work-arounds, and untested quick fixes eventually take their toll as system configurations drift slowly away from a known and trusted state and processes break down from a lack of enforcement. The price is paid later when unexplained outages result after patches fail or servers can?t be quickly rebuilt, and unplanned work is required to resolve the issues. More and more time is spent on rework and unplanned work, detracting from completion of planned work.
The solution is automated change auditing, simultaneously addressing reliability, availability and security, which has three critical functions within the C/CM process:
? independent detection of change regardless of source or intent
? reconciliation of detected change with intended and authorized change
? independent reporting of all change activity across production systems
Independent change detection: The fundamental role of change auditing is to serve as an independent detective control with the ability to automatically detect system changes across an entire infrastructure comprised of a disparate, far-flung mix of servers, routers, firewalls, databases, etc.
As an independent detective control properly segregated from the persons or technologies making the changes, the change auditing system detects changes regardless of who made the change or why the change was made. This means capturing automated and manual changes, authorized and intended changes, as well as the occasional unauthorized, unintended, or potentially malicious change, in sufficient detail to determine the date, time, implementer, system, and the details of the change made.
Detecting change at this level requires first maintaining a baseline for each system to define a known and trusted state of software files and configurations, and then continually checking all systems to discover when deviations from baselines occur. By logging and accepting only those changes that are authorized and intended, IT management has continual proof that the integrity of the infrastructure is intact.
Change reconciliation: The majority of infrastructure changes are authorized and intended and must be independently validated to prove that desired changes occur as planned. But more importantly, desired changes must be resolved and filtered out to uncover any undesired changes. If a change can?t be correlated back to change approval or release management processes, preventive controls have been compromised and corrective controls must be triggered.
Integration with other C/CM tools enables the change auditing system to automatically correlate detected changes with approved intentions and trigger recovery whenever necessary. Change ticketing systems define which changes are approved, may describe the intended changes, as well as indicate when the changes should be made and by whom. Within release management, software distribution or configuration management tools can also define what changes were expected to be deployed. When undesired change is detected, the change auditing system must alert appropriate systems and network monitoring tools, plus open incident tickets within the service desk so the undesired change can be further explored. For practicality and usability within an enterprise, it is essential that the change auditing system be highly scalable, centralized and offers sufficient interfaces to facilitate these various integrations.
Independent reporting: A change auditing system provides IT management and auditors proof of systems and process integrity by generating an independent accounting of actual changes across the breadth of the infrastructure, reconciled with authorized and intended changes. These reports offer ongoing proof that effective change controls are in place, as well as provide decision support tools for problem management.
Complementing what a change ticketing or configuration management tool can provide, a change auditing system provides an independent, verifiable audit log of all actual change activity, not just planned changes.
Performance indicators generated by change auditing can serve as IT operational metrics, as well as security and assurance metrics, reporting:
? the number of actual changes made to the IT infrastructure;
? the number of those changes that were authorized;
? the variance between planned and actual changes, and;
? where the most frequent changes are being made and who is making them.
Change activity reports are also essential as decision support tools when restoring service interruptions and outages, and resolving service incidents and problems. Change auditing information can be used to determine if change was a causal factor to an incident or problem. If changes are discovered, the detailed change information can be used to establish when the system was last in a known and trusted state, then identify exactly what changed from that baseline, when it changed, and even who made the change.
Proof Positive
Change auditing assures compliance by demonstrating that internal control structures for change management and security are in place and effective. When combined with a change approval process that allows only approved and tested changes to be implemented, change auditing increases the availability of information systems both through enforcement of better change management processes and by offering decision support tools to quickly remediate outages and incidents when they inevitably occur. Finally, change auditing enhances security and instills greater confidence in IT systems by demonstrating that only authorized and intended changes have been made to the production environment. These capabilities demonstrate that an independent change auditing solution is essential for proving control?as well as systems and process integrity?across the IT infrastructure.
Rob Warmack
Senior Director of Marketing
Tripwire
Rob Warmack is senior director of Marketing at Tripwire, Inc. Rob has over 20 years of experience in the high technology and enterprise software industries and is responsible for Tripwire?s corporate marketing, product management and marketing communications.
Rob has a proven history of understanding the evolving needs of the enterprise and addressing these needs with cutting-edge solutions. Prior to joining Tripwire, Rob led marketing and business development for Rulespace, a provider of web content recognition technology now in use by most major Internet service providers.
Prior to Rulespace, Rob served as vice president of Marketing for eFusion, a provider of VoIP-based telecommunications platforms and ASP services, and Clientele, a pioneer in help desk and customer relations management software.
Rob began his sales and marketing management career with IBM providing solutions to both Fortune 100 enterprises and small businesses.
|
|
|
|
|
