change management and config management testing

Is there perhaps a top 5 checks an auditor or security boss could use to check his server admin/support team are following effective change and configuraiton management for their web servers? I.e how can you check they are following effective change/configuration management? What evidence could prove/disprove this?
LVL 3
pma111Asked:
Who is Participating?
 
Keith AlabasterConnect With a Mentor Enterprise ArchitectCommented:
Following the ITIL procedures would do this as it covers a multitude of topics that are all inter-related.

i use the Microsoft MOF (Operations Framework) - http://technet.microsoft.com/en-us/library/cc506049.aspx

Gives guides, templates, examples and covers all management areas of release, change, config, security etc.

Configuration management is exactly what it whereas Change management covers several topics within its remit.
0
 
pma111Author Commented:
I guess I am after some sort of management basics on what does change management control, and how its different between configuration management.

And how could a:

a) lack of change management ultimately make your systems security more vulnerable
b) lack of configuration management ultimately make your systems security more vulnerable

Cheers!
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)Connect With a Mentor VMware and Virtualization ConsultantCommented:
A simple log book, (database or excel spreadsheet)  of changes made to the server, date, time, who made the changes, who authorised the changes, is there a rollback plan.

It also depends sometimes, what industry, you are in.

e.g.Payment Card Industry Data Security Standard,
http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard


I would highly recommend, reading the ITIL framework, documents and practices

Configuration Management is often under Change Management, and which could all be under The Information Technology Infrastructure Library (ITIL),


The Information Technology Infrastructure Library (ITIL), is a set of practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business. In its current form (known as ITILv3 and ITIL 2011 edition), ITIL is published in a series of five core publications, each of which covers an ITSM lifecycle stage. ITILv3 underpins ISO/IEC 20000 (previously BS15000), the International Service Management Standard for IT service management, although differences between the two frameworks do exist.

Source
http://en.wikipedia.org/wiki/Information_Technology_Infrastructure_Library
0
Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

 
Keith AlabasterEnterprise ArchitectCommented:
in addition

a)  Without change management, I could make changes to a system (authorised or not) that others did not know about. I go home and something goes wrong - the duty admin would not know about the change and might spend hours trying to find the cause and meantime the system is down. Similarly, I open a port on a firewall thinking it is the right thing to do but I don't do it correctly - trojans get into the system - Change management would have made me write down what I was going to do, how I was going to do it, when I was going to do it, who might be affected whilst I do it, who needs to be informed it is going to happen, who authorised my doing it, who validated my intentions/outcome and also how I will roll any changes back if it all goes pear shaped.

b) Configuration Management is the recording, storing, version control etc
0
 
pma111Author Commented:
So its essentially a review of procedures were follwoed. As opposed to checking for recent changes on a system, then reviewing the change management documentation to ensure it went through the right process. I guess what I am getting at is everything that is in the CM system is where the process was followed, but auditors would be interested in changes that did not go throught the correct process, but how would they spot them?
0
 
Keith AlabasterEnterprise ArchitectCommented:
Generally they will ask about changes made then ask to see the supporting documentation trail, signoffs etc
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Auditors are normally interested in the Procedures followed rather than the actual physical information.
0
 
Keith AlabasterEnterprise ArchitectCommented:
You would have thought so..... however, we will also often pick an example from the Change Register and ask to see validation that the procedure was actually adhered to.
0
 
pma111Author Commented:
So is it possible to prove a change followed the process, say 3 months after the change?
0
 
btanConnect With a Mentor Exec ConsultantCommented:
Actually whether it is is able to prove the log is authentic, it should follow the approval workflow whereby there is authorization and acknowledgment by assigned personnel. It need not be in rhetorically same department but necessarily to tag an identity that has allow the changes or grants request. Non repudiation is key principle. To uphold throughout. ..also another consideration is the upkeep of a backup of the changes that need to be done on active standby system.we tend to miss out the changes odd standby but only flagged in BCP or DRP check...probably exercise emergency use case can be another change mgmt performance indicator for auditing.


Few cents worth
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Yes, changed should be logged and recorded. Otherwise your procedures have failed, and staff and Change Board are not following procedures.
0
 
btanExec ConsultantCommented:
If the workflow system allow digital signature it greatly enhance accountability since identity is tagged to the 2fa generating the signature.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.