Audits and the Change Management Process
By Gene Kim, CTO of Tripwire and co-founder of the IT Process Institute
Learn More About V Wire
Hal Pomeranz and I did a webinar called “Ditching the Infosec Stereotype: Part 1: Fixing Broken Change Control Processes” a couple of weeks ago.
As I mentioned in a previous blog entry, I’m a big fan of Hal. I loved the work he’s done at places that had truly mission-critical environments, including at eBay, Cendant and Google.
He and I, along with Kevin Behr, share a common passion of how to deliver kick ass IT, or as I’ve called it over the years, have amazing IT kung fu.
The webinar went great, but I think we were both surprised by the number of questions that we got from the webinar attendees. We had 22 questions get posted, of which we could only answer a couple.
So, we earlier today, we did a second webinar (post link), just answer some of these questions. Over the next couple of weeks, I’ll be posting answers to some of them.
Question: How Should I Engage Internal Audit In The Change Management Process?
By the book, audit engagements has four distinct phases: planning, fieldwork, reporting and follow-up.
Life in IT management sucks when your time with auditors is dominated by preparing and undergoing audits as they do their fieldwork (imagine teams of auditors showing up with suitcases).
Or actually, far worse, when they’re walking you through their findings, extracting promises from you to have them fixed within 90 days in front of your boss.
Obviously, the way to reduce time spent in both of these areas is to have an effective change management processes, with both preventive controls (e.g., defined policies, defined authorization levels, defined consequences when people go around the process, etc.) and detective controls (e.g., monitoring and reconciliation controls like Tripwire).
This allows you to assert and substantiate that you have no unauthorized changes.
But, provided that you have these controls in place, there is also a less formal way that you can help increase auditors’ perception of controls assurance. That’s to proactively reach out to internal audit, and offer them a standing invitation to join any of your change management meetings.
For them to even sit in even one change management meeting allows them to observe and formulate on the effectiveness of the process.
They will hopefully see how the meeting is being effectively run, how changes are evaluated and authorized, reviewed after their scheduled implementation, and how failures, exceptions and unauthorized changes are handled.
In auditor parlance, observation is one of the types of evidence that auditors can use to support their opinions on the effectiveness of controls. (The other types of evidence include surveys, testing and independent sources.)
If the auditor observes that no one is showing up to the change management meetings, authorizations are rubber stamped without any real evaluation, unauthorized changes and unplanned outages are occurring regularly, then she will likely flag this as a potential high risk area.
However, if the auditor observes that the meetings are competently run, changes are documented and planned, authorization are thoughtful and considered, and unauthorized changes are quickly dealt with, then this is likely to be viewed as a lower risk area.
Consequently, they will likely spend less time in their fieldwork doing change control testing.
Contrast this to some organizations that spend hundreds, sometimes even thousands of hours, working in emergency projects to try to “clean house” before the auditors arrive to do their testing. This is what leads to sometimes absurd behaviors, such as closing 6000 change control tickets in one day.
Hal noted during the webinar that this level of transparency is good to extend not only to audit, but business stakeholders as well.
Learn More About Tripwire Here
So, to summarize. Reach out proactively to your friendly internal IT auditor that you may have worked with in the past, ask for a meeting to share respective views of risks that the IT change control processes are designed to mitigate, offer to have someone on their team observe one of your change management meetings, sending them the relevant policies first.
This will help built a mutually respectful working relationship, help build an ongoing dialogue about risks, as well as provide transparency to them about how the change management process is being run.
If the change controls are actually working, this can dramatically reduce the amount of time the auditor spends in the fieldwork, reporting and followup phases of the audit.
Questions or comments? Feel free to send me a note on Twitter! I’m @RealGeneKim.
Gene Kim is the CTO of Tripwire, Inc. and co-founder of the IT Process Institute. He is currently actively working on a series of cross-industry projects to capture and codify how “best in class” organizations have IT operations, security, audit, management, and governance working together to solve common objectives. Gene co-chaired the “Generally Accepted IT Principles Summit” with the Institute of Internal Auditors in July 2005 to help codify how to create reasonable IT audit scope for SOX-404. In 2004, he co-wrote the Visible Ops Handbook, codifying how to successfully transform IT organizations from “good to great.” In 2003, he co-chaired two conferences with SANS and the Software Engineering Institute, and was named by InfoWorld as one of the “Four Up and Coming CTOs to Watch.” Gene is certified on both IT management and audit processes, possessing both ITIL Foundations and CISA certifications.
Tripwire helps over 6,500 enterprises worldwide reduce security risk, attain compliance and increase operational efficiency across virtual and physical environments. With its industry leading configuration assessment and change auditing software solutions, IT organizations achieve and maintain configuration control. Tripwire is headquartered in Portland, Ore. with offices worldwide.
* * *
Stay Informed With ISR News Feeds and Email Alerts Here:
The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com
Filed under: Breach, D&O Liability, FEATURE ARTICLE, Financial, Gene Kim, Government, ISR News, Insider Threat, PCI, Sarbanes-Oxley, Tripwire, Uncategorized, hackers, identity-theft, malware, national security, privacy
Comments
Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!
