Solved

change management and config management testing

Posted on 2012-04-10
12
472 Views
Last Modified: 2012-04-25
Is there perhaps a top 5 checks an auditor or security boss could use to check his server admin/support team are following effective change and configuraiton management for their web servers? I.e how can you check they are following effective change/configuration management? What evidence could prove/disprove this?
0
Comment
Question by:pma111
  • 4
  • 3
  • 3
  • +1
12 Comments
 
LVL 3

Author Comment

by:pma111
ID: 37827530
I guess I am after some sort of management basics on what does change management control, and how its different between configuration management.

And how could a:

a) lack of change management ultimately make your systems security more vulnerable
b) lack of configuration management ultimately make your systems security more vulnerable

Cheers!
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 167 total points
ID: 37830690
Following the ITIL procedures would do this as it covers a multitude of topics that are all inter-related.

i use the Microsoft MOF (Operations Framework) - http://technet.microsoft.com/en-us/library/cc506049.aspx

Gives guides, templates, examples and covers all management areas of release, change, config, security etc.

Configuration management is exactly what it whereas Change management covers several topics within its remit.
0
 
LVL 117

Assisted Solution

by:Andrew Hancock (VMware vExpert / EE MVE)
Andrew Hancock (VMware vExpert / EE MVE) earned 167 total points
ID: 37830707
A simple log book, (database or excel spreadsheet)  of changes made to the server, date, time, who made the changes, who authorised the changes, is there a rollback plan.

It also depends sometimes, what industry, you are in.

e.g.Payment Card Industry Data Security Standard,
http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard


I would highly recommend, reading the ITIL framework, documents and practices

Configuration Management is often under Change Management, and which could all be under The Information Technology Infrastructure Library (ITIL),


The Information Technology Infrastructure Library (ITIL), is a set of practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business. In its current form (known as ITILv3 and ITIL 2011 edition), ITIL is published in a series of five core publications, each of which covers an ITSM lifecycle stage. ITILv3 underpins ISO/IEC 20000 (previously BS15000), the International Service Management Standard for IT service management, although differences between the two frameworks do exist.

Source
http://en.wikipedia.org/wiki/Information_Technology_Infrastructure_Library
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37830709
in addition

a)  Without change management, I could make changes to a system (authorised or not) that others did not know about. I go home and something goes wrong - the duty admin would not know about the change and might spend hours trying to find the cause and meantime the system is down. Similarly, I open a port on a firewall thinking it is the right thing to do but I don't do it correctly - trojans get into the system - Change management would have made me write down what I was going to do, how I was going to do it, when I was going to do it, who might be affected whilst I do it, who needs to be informed it is going to happen, who authorised my doing it, who validated my intentions/outcome and also how I will roll any changes back if it all goes pear shaped.

b) Configuration Management is the recording, storing, version control etc
0
 
LVL 3

Author Comment

by:pma111
ID: 37831540
So its essentially a review of procedures were follwoed. As opposed to checking for recent changes on a system, then reviewing the change management documentation to ensure it went through the right process. I guess what I am getting at is everything that is in the CM system is where the process was followed, but auditors would be interested in changes that did not go throught the correct process, but how would they spot them?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37831919
Generally they will ask about changes made then ask to see the supporting documentation trail, signoffs etc
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 117
ID: 37832119
Auditors are normally interested in the Procedures followed rather than the actual physical information.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37832512
You would have thought so..... however, we will also often pick an example from the Change Register and ask to see validation that the procedure was actually adhered to.
0
 
LVL 3

Author Comment

by:pma111
ID: 37832819
So is it possible to prove a change followed the process, say 3 months after the change?
0
 
LVL 61

Assisted Solution

by:btan
btan earned 166 total points
ID: 37832880
Actually whether it is is able to prove the log is authentic, it should follow the approval workflow whereby there is authorization and acknowledgment by assigned personnel. It need not be in rhetorically same department but necessarily to tag an identity that has allow the changes or grants request. Non repudiation is key principle. To uphold throughout. ..also another consideration is the upkeep of a backup of the changes that need to be done on active standby system.we tend to miss out the changes odd standby but only flagged in BCP or DRP check...probably exercise emergency use case can be another change mgmt performance indicator for auditing.


Few cents worth
0
 
LVL 117
ID: 37832918
Yes, changed should be logged and recorded. Otherwise your procedures have failed, and staff and Change Board are not following procedures.
0
 
LVL 61

Expert Comment

by:btan
ID: 37835492
If the workflow system allow digital signature it greatly enhance accountability since identity is tagged to the 2fa generating the signature.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Join & Write a Comment

Suggested Solutions

By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now