[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

change management and config management testing

Posted on 2012-04-10
12
Medium Priority
?
517 Views
Last Modified: 2012-04-25
Is there perhaps a top 5 checks an auditor or security boss could use to check his server admin/support team are following effective change and configuraiton management for their web servers? I.e how can you check they are following effective change/configuration management? What evidence could prove/disprove this?
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
  • +1
12 Comments
 
LVL 3

Author Comment

by:pma111
ID: 37827530
I guess I am after some sort of management basics on what does change management control, and how its different between configuration management.

And how could a:

a) lack of change management ultimately make your systems security more vulnerable
b) lack of configuration management ultimately make your systems security more vulnerable

Cheers!
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 668 total points
ID: 37830690
Following the ITIL procedures would do this as it covers a multitude of topics that are all inter-related.

i use the Microsoft MOF (Operations Framework) - http://technet.microsoft.com/en-us/library/cc506049.aspx

Gives guides, templates, examples and covers all management areas of release, change, config, security etc.

Configuration management is exactly what it whereas Change management covers several topics within its remit.
0
 
LVL 123

Assisted Solution

by:Andrew Hancock (VMware vExpert / EE MVE^2)
Andrew Hancock (VMware vExpert / EE MVE^2) earned 668 total points
ID: 37830707
A simple log book, (database or excel spreadsheet)  of changes made to the server, date, time, who made the changes, who authorised the changes, is there a rollback plan.

It also depends sometimes, what industry, you are in.

e.g.Payment Card Industry Data Security Standard,
http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard


I would highly recommend, reading the ITIL framework, documents and practices

Configuration Management is often under Change Management, and which could all be under The Information Technology Infrastructure Library (ITIL),


The Information Technology Infrastructure Library (ITIL), is a set of practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business. In its current form (known as ITILv3 and ITIL 2011 edition), ITIL is published in a series of five core publications, each of which covers an ITSM lifecycle stage. ITILv3 underpins ISO/IEC 20000 (previously BS15000), the International Service Management Standard for IT service management, although differences between the two frameworks do exist.

Source
http://en.wikipedia.org/wiki/Information_Technology_Infrastructure_Library
0
Understanding Web Applications

Without even knowing it, most of us are using web applications on a daily basis. Gmail and Yahoo email, Twitter, Facebook, and eBay are used by most of us daily—and they are web applications. We often confuse these web applications tools for websites.  So, what is the difference?

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37830709
in addition

a)  Without change management, I could make changes to a system (authorised or not) that others did not know about. I go home and something goes wrong - the duty admin would not know about the change and might spend hours trying to find the cause and meantime the system is down. Similarly, I open a port on a firewall thinking it is the right thing to do but I don't do it correctly - trojans get into the system - Change management would have made me write down what I was going to do, how I was going to do it, when I was going to do it, who might be affected whilst I do it, who needs to be informed it is going to happen, who authorised my doing it, who validated my intentions/outcome and also how I will roll any changes back if it all goes pear shaped.

b) Configuration Management is the recording, storing, version control etc
0
 
LVL 3

Author Comment

by:pma111
ID: 37831540
So its essentially a review of procedures were follwoed. As opposed to checking for recent changes on a system, then reviewing the change management documentation to ensure it went through the right process. I guess what I am getting at is everything that is in the CM system is where the process was followed, but auditors would be interested in changes that did not go throught the correct process, but how would they spot them?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37831919
Generally they will ask about changes made then ask to see the supporting documentation trail, signoffs etc
0
 
LVL 123
ID: 37832119
Auditors are normally interested in the Procedures followed rather than the actual physical information.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37832512
You would have thought so..... however, we will also often pick an example from the Change Register and ask to see validation that the procedure was actually adhered to.
0
 
LVL 3

Author Comment

by:pma111
ID: 37832819
So is it possible to prove a change followed the process, say 3 months after the change?
0
 
LVL 65

Assisted Solution

by:btan
btan earned 664 total points
ID: 37832880
Actually whether it is is able to prove the log is authentic, it should follow the approval workflow whereby there is authorization and acknowledgment by assigned personnel. It need not be in rhetorically same department but necessarily to tag an identity that has allow the changes or grants request. Non repudiation is key principle. To uphold throughout. ..also another consideration is the upkeep of a backup of the changes that need to be done on active standby system.we tend to miss out the changes odd standby but only flagged in BCP or DRP check...probably exercise emergency use case can be another change mgmt performance indicator for auditing.


Few cents worth
0
 
LVL 123
ID: 37832918
Yes, changed should be logged and recorded. Otherwise your procedures have failed, and staff and Change Board are not following procedures.
0
 
LVL 65

Expert Comment

by:btan
ID: 37835492
If the workflow system allow digital signature it greatly enhance accountability since identity is tagged to the 2fa generating the signature.
0

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
Sometimes Administrators rights are not enough. These cases call for the SYSTEM account. The process in this article outlines the steps required to execute commands using the SYSTEM account.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question