Change control

by Paul Gostick, Tripwire Inc.
The need for effective change control is driven by two key factors – compliance with regulations and the drive towards operational excellence.
Legislation such as Sarbanes-Oxley and the myriad data protection regulations in effect throughout the world make compliance a difficult and potentially resource-intensive process. Auditors look for integrated processes and controls that ensure the underlying systems are managed responsibly.
In most large businesses, critical financial processes run automatically on vast, complex computing infrastructures. Executives are tempted to assume (perhaps even hope) that this infrastructure is a monolithic, invulnerable, unchanging entity and once policies are established and the systems are running, everything is fine. In fact, IT operations are surprisingly and alarmingly fluid.
As the leading IT audit finding is change related, many IT organisations are adopting change and configuration management tools to help them improve audit preparedness, reduce risk, and improve their ability to manage change. Such tools provide preventive and corrective measures. They help automate processes, simplify software deployment, and reduce the time it takes to administer system configurations.
The problem is that these tools and processes can be circumvented without anyone knowing. In effect, the ability to create change is in place, but there is no complementary system for reporting and flagging any changes made. To ensure that preventive and corrective measures against unauthorised changes are in place and effective, you need to add detective controls. These controls continually monitor systems to report all change and, crucially, discover unauthorised changes or process failures and alert the appropriate IT staff.
This is change auditing.

Independence is the key
However, auditors increasingly want to see independent change detection and verification – something that demands much more than can be delivered by basic change and configuration management technologies. As an important component of compliance and security efforts, change auditing occurs independently of the individuals approving and making changes, thus closing any loopholes in the change management processes. Change auditing then reconciles any detected changes against tested, authorised changes, providing alerts when change is unauthorised.
As it reports all change activity objectively, change auditing can be used by IT to verify the effectiveness (or not) of their existing controls. In fact, Sarbanes-Oxley Section 404 requires a company's independent auditor to sign off the client's internal controls. With change auditing capabilities in place, security and compliance processes can be enforced and any attempts to circumvent them will be identified.

High performing organisations
Perhaps the most interesting part of this approach is that the same systems that deliver this independent detection, reconciliation and reporting can also produce massive benefits in terms of operational excellence. With unauthorised changes being automatically audited, the amount of time IT spends tracking down the origin of unexpected issues and failures is hugely reduced. This in turn effectively creates significantly increased capacity within resource-hungry IT departments, freeing them to focus on planned, and often high-priority, development.
It is, in effect, a double win; detailed compliance data is automatically generated and ad-hoc problems are much more quickly traced and remedied, saving time and resources.
Research by the IT Process Institute (ITPI) over the last five years, has established a causal relationship between key IT controls and IT effectiveness. One of its key findings is that high performing organisations spent less than half the effort on compliance, which significantly reduced costs.
Even better for the CFO and CEO, money spent on change auditing can actually generate returns in terms of increased productivity and meeting stringent compliance regulations.

The right tools
Of course, successful change management starts with the right people and processes – and, most crucially, from the right culture. But it ultimately succeeds with the right tools. The tool that meets all the criteria for successful, independent change auditing is Tripwire Enterprise, a system capable of providing baselines and monitoring changes to hundreds of systems across an enterprise, providing a verifiable audit trail of all changes.
Tripwire’s all-inclusive change auditing solutions play a critical role in meeting today’s demanding needs for IT regulatory compliance, total availability, and enhanced security.
For more information visit www.tripwire.com/europe/fst , e-mail changeaudit@tripwire.com or call +44 (0) 20 7618 8324.