change management and config management testing

Is there perhaps a top 5 checks an auditor or security boss could use to check his server admin/support team are following effective change and configuraiton management for their web servers? I.e how can you check they are following effective change/configuration management? What evidence could prove/disprove this?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

pma111Author Commented:
I guess I am after some sort of management basics on what does change management control, and how its different between configuration management.

And how could a:

a) lack of change management ultimately make your systems security more vulnerable
b) lack of configuration management ultimately make your systems security more vulnerable

Keith AlabasterEnterprise ArchitectCommented:
Following the ITIL procedures would do this as it covers a multitude of topics that are all inter-related.

i use the Microsoft MOF (Operations Framework) -

Gives guides, templates, examples and covers all management areas of release, change, config, security etc.

Configuration management is exactly what it whereas Change management covers several topics within its remit.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
A simple log book, (database or excel spreadsheet)  of changes made to the server, date, time, who made the changes, who authorised the changes, is there a rollback plan.

It also depends sometimes, what industry, you are in.

e.g.Payment Card Industry Data Security Standard,

I would highly recommend, reading the ITIL framework, documents and practices

Configuration Management is often under Change Management, and which could all be under The Information Technology Infrastructure Library (ITIL),

The Information Technology Infrastructure Library (ITIL), is a set of practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business. In its current form (known as ITILv3 and ITIL 2011 edition), ITIL is published in a series of five core publications, each of which covers an ITSM lifecycle stage. ITILv3 underpins ISO/IEC 20000 (previously BS15000), the International Service Management Standard for IT service management, although differences between the two frameworks do exist.

Discover the Answer to Productive IT

Discover app within WatchGuard's Wi-Fi Cloud helps you optimize W-Fi user experience with the most complete set of visibility, troubleshooting, and network health features. Quickly pinpointing network problems will lead to more happy users and most importantly, productive IT.

Keith AlabasterEnterprise ArchitectCommented:
in addition

a)  Without change management, I could make changes to a system (authorised or not) that others did not know about. I go home and something goes wrong - the duty admin would not know about the change and might spend hours trying to find the cause and meantime the system is down. Similarly, I open a port on a firewall thinking it is the right thing to do but I don't do it correctly - trojans get into the system - Change management would have made me write down what I was going to do, how I was going to do it, when I was going to do it, who might be affected whilst I do it, who needs to be informed it is going to happen, who authorised my doing it, who validated my intentions/outcome and also how I will roll any changes back if it all goes pear shaped.

b) Configuration Management is the recording, storing, version control etc
pma111Author Commented:
So its essentially a review of procedures were follwoed. As opposed to checking for recent changes on a system, then reviewing the change management documentation to ensure it went through the right process. I guess what I am getting at is everything that is in the CM system is where the process was followed, but auditors would be interested in changes that did not go throught the correct process, but how would they spot them?
Keith AlabasterEnterprise ArchitectCommented:
Generally they will ask about changes made then ask to see the supporting documentation trail, signoffs etc
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Auditors are normally interested in the Procedures followed rather than the actual physical information.
Keith AlabasterEnterprise ArchitectCommented:
You would have thought so..... however, we will also often pick an example from the Change Register and ask to see validation that the procedure was actually adhered to.
pma111Author Commented:
So is it possible to prove a change followed the process, say 3 months after the change?
btanExec ConsultantCommented:
Actually whether it is is able to prove the log is authentic, it should follow the approval workflow whereby there is authorization and acknowledgment by assigned personnel. It need not be in rhetorically same department but necessarily to tag an identity that has allow the changes or grants request. Non repudiation is key principle. To uphold throughout. ..also another consideration is the upkeep of a backup of the changes that need to be done on active standby system.we tend to miss out the changes odd standby but only flagged in BCP or DRP check...probably exercise emergency use case can be another change mgmt performance indicator for auditing.

Few cents worth
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Yes, changed should be logged and recorded. Otherwise your procedures have failed, and staff and Change Board are not following procedures.
btanExec ConsultantCommented:
If the workflow system allow digital signature it greatly enhance accountability since identity is tagged to the 2fa generating the signature.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.