Solved

change management and config management testing

Posted on 2012-04-10
12
493 Views
Last Modified: 2012-04-25
Is there perhaps a top 5 checks an auditor or security boss could use to check his server admin/support team are following effective change and configuraiton management for their web servers? I.e how can you check they are following effective change/configuration management? What evidence could prove/disprove this?
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
  • +1
12 Comments
 
LVL 3

Author Comment

by:pma111
ID: 37827530
I guess I am after some sort of management basics on what does change management control, and how its different between configuration management.

And how could a:

a) lack of change management ultimately make your systems security more vulnerable
b) lack of configuration management ultimately make your systems security more vulnerable

Cheers!
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 167 total points
ID: 37830690
Following the ITIL procedures would do this as it covers a multitude of topics that are all inter-related.

i use the Microsoft MOF (Operations Framework) - http://technet.microsoft.com/en-us/library/cc506049.aspx

Gives guides, templates, examples and covers all management areas of release, change, config, security etc.

Configuration management is exactly what it whereas Change management covers several topics within its remit.
0
 
LVL 120

Assisted Solution

by:Andrew Hancock (VMware vExpert / EE MVE^2)
Andrew Hancock (VMware vExpert / EE MVE^2) earned 167 total points
ID: 37830707
A simple log book, (database or excel spreadsheet)  of changes made to the server, date, time, who made the changes, who authorised the changes, is there a rollback plan.

It also depends sometimes, what industry, you are in.

e.g.Payment Card Industry Data Security Standard,
http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard


I would highly recommend, reading the ITIL framework, documents and practices

Configuration Management is often under Change Management, and which could all be under The Information Technology Infrastructure Library (ITIL),


The Information Technology Infrastructure Library (ITIL), is a set of practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business. In its current form (known as ITILv3 and ITIL 2011 edition), ITIL is published in a series of five core publications, each of which covers an ITSM lifecycle stage. ITILv3 underpins ISO/IEC 20000 (previously BS15000), the International Service Management Standard for IT service management, although differences between the two frameworks do exist.

Source
http://en.wikipedia.org/wiki/Information_Technology_Infrastructure_Library
0
PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37830709
in addition

a)  Without change management, I could make changes to a system (authorised or not) that others did not know about. I go home and something goes wrong - the duty admin would not know about the change and might spend hours trying to find the cause and meantime the system is down. Similarly, I open a port on a firewall thinking it is the right thing to do but I don't do it correctly - trojans get into the system - Change management would have made me write down what I was going to do, how I was going to do it, when I was going to do it, who might be affected whilst I do it, who needs to be informed it is going to happen, who authorised my doing it, who validated my intentions/outcome and also how I will roll any changes back if it all goes pear shaped.

b) Configuration Management is the recording, storing, version control etc
0
 
LVL 3

Author Comment

by:pma111
ID: 37831540
So its essentially a review of procedures were follwoed. As opposed to checking for recent changes on a system, then reviewing the change management documentation to ensure it went through the right process. I guess what I am getting at is everything that is in the CM system is where the process was followed, but auditors would be interested in changes that did not go throught the correct process, but how would they spot them?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37831919
Generally they will ask about changes made then ask to see the supporting documentation trail, signoffs etc
0
 
LVL 120
ID: 37832119
Auditors are normally interested in the Procedures followed rather than the actual physical information.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37832512
You would have thought so..... however, we will also often pick an example from the Change Register and ask to see validation that the procedure was actually adhered to.
0
 
LVL 3

Author Comment

by:pma111
ID: 37832819
So is it possible to prove a change followed the process, say 3 months after the change?
0
 
LVL 63

Assisted Solution

by:btan
btan earned 166 total points
ID: 37832880
Actually whether it is is able to prove the log is authentic, it should follow the approval workflow whereby there is authorization and acknowledgment by assigned personnel. It need not be in rhetorically same department but necessarily to tag an identity that has allow the changes or grants request. Non repudiation is key principle. To uphold throughout. ..also another consideration is the upkeep of a backup of the changes that need to be done on active standby system.we tend to miss out the changes odd standby but only flagged in BCP or DRP check...probably exercise emergency use case can be another change mgmt performance indicator for auditing.


Few cents worth
0
 
LVL 120
ID: 37832918
Yes, changed should be logged and recorded. Otherwise your procedures have failed, and staff and Change Board are not following procedures.
0
 
LVL 63

Expert Comment

by:btan
ID: 37835492
If the workflow system allow digital signature it greatly enhance accountability since identity is tagged to the 2fa generating the signature.
0

Featured Post

Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The next five years are sure to bring developments that are just astonishing, and we will continue to try to find the balance between connectivity and security. Here are five major technological developments from the last five years and some predict…
The related questions "How do I recover the passwords for my Q-See DVR" and "How can I reset my Q-See DVR to eliminate a password" are seen several times a week.  Here we discuss the grim reality of the situation.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question