In Tripwire's Prescriptive Guide to Operational Excellence, you'll find specific how-to assistance from experts in IT governance, security, compliance, and IT operations that will help you reduce unplanned work, mitigate risk and free up IT staff for more strategic projects.
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Prescriptive Guide to Operational Excellence Volume 1
1. PRESCRIPTIVE
GUIDE SERIES
OPERATIONAL
EXCELLENCE:
Linking Your
Business, Compliance,
Operations and Security.
A TACTI C A L G U I D E E N A B L I N G Y O U T O T A K E
ACTION AND ACHIEVE OPERATIONAL EXCELLENCE.
2. PRESCRIPTIVE
GUIDESERIES
OPERATIONAL
EXCELLENCE:
Linking Your
Business, Compliance,
Operations and Security.
4. TABLE O C NTENTS
F O
INTRO DUCTIO N
HowT UseTheG
o uide.......................................................................................................................... 1
Background.......................................................................................................................................... 1
TRIPWIRE PERSPECTIVE
TripwirePerspective............................................................................................................................. 3
C m C
om on haracteristics O HighPerform ....................................................................................... 4
f ers.
TheITMaturity Process........................................................................................................................ 4
EnforcingAC hangePolicy.................................................................................................................... 6
TripwireFacilitates ChangeManagem ent............................................................................................ 7
Why It’sW It.................................................................................................................................. 9
orth
O TIO EXCELLENCE
PERA NAL
Im portanceFromAManagem Perspective................................................................................... 11
ent
EnablingC pliance......................................................................................................................... 11
om
O pportunitiesT Im o proveO perational Efficiency................................................................................ 12
Alignm ......................................................................................................................................... 12
ent.
Project Managem ent......................................................................................................................... 13
Risk Managem ............................................................................................................................. 13
ent.
Control Layers.................................................................................................................................... 13
Policies AndProcedures..................................................................................................................... 14
.
Training.............................................................................................................................................. 14
SegregationO D f uties........................................................................................................................ 15
ChangeManagem ent........................................................................................................................ 15
IntegrationO C f hangeManagem T Incident AndProblemManagem
ent o ent.................................... 16
Network Monitoring.......................................................................................................................... 16
Logical Access C ontrols....................................................................................................................... 16
Physical Access C ontrols..................................................................................................................... 17
Business C ontinuity PlanningAndD isaster Recovery......................................................................... 17
Audit.................................................................................................................................................. 17
ITAudit.............................................................................................................................................. 18
C m C
om on haracteristics O High-Perform Of ing rganizations.............................................................. 19
ChangeAndPatchManagem Self Assessm C ent ent hecklist............................................................... 20
HowTripwireHelps O rganizations AchieveHigh-Perform O ance perations......................................... 21
IT AUDIT
Im portanceFromAManagem Perspective................................................................................... 23
ent
EnablingC pliance......................................................................................................................... 24
om
AnInternal Audit Plan........................................................................................................................ 24
ITSelf Assessm AndO C
ents ther ontinuous Im provem Efforts....................................................... 25
ent
Audit Self Assessm C
ent hecklist......................................................................................................... 26
INTRO UC N v
D TIO
Prescriptive Guide
5. TABLE O C NTENTS (CONTINUED)
F O
INFO TIO SECURITY
RMA N
Im portanceFromAManagem Perspective................................................................................... 27
ent
EnablingC pliance......................................................................................................................... 27
om
O pportunitiesT Im o proveO peratingEfficiency.................................................................................. 28
C m PracticeAndC
om on ontrol Mandates........................................................................................... 29
ITAudit.............................................................................................................................................. 36
Inform ationSecurity Self Assessm C ent hecklist................................................................................. 38
HowTripwireEnhances Security......................................................................................................... 39
PAYMENT CARDINDUSTRY
Background........................................................................................................................................ 41
ImportanceFromAManagem Perspective................................................................................... 41
ent
EnablingC pliance......................................................................................................................... 41
om
OpportunitiesT Im o proveO peratingEfficiency.................................................................................. 43
ITAudit.............................................................................................................................................. 44
PC Audit Self Assessm C
I ent hecklist................................................................................................... 44
HowTripwireHelps Meet PC Requirem ...................................................................................... 45
I ents.
C MPLIANCE RETRO
O SPECT
AW O Life...................................................................................................................................... 47
ay f
C plianceAppliesT Most C panies............................................................................................. 47
om o om
Best Practices EnableC pliance...................................................................................................... 47
om
C m C plianceITThreads........................................................................................................ 48
om on om
Audit AndT echnology AreEnablers.................................................................................................... 49
MandateFor C pliance................................................................................................................... 50
om .
C plianceSelf Assessm C
om ent hecklist............................................................................................... 54
UsingTripwireT AchieveAndMaintainC pliance.......................................................................... 55
o om
NEXT STEPS
Next Steps.......................................................................................................................................... 57
vi INTRO UC N
D TIO
Prescriptive Guide
6. G U I D E
P R E S C R I P T I V E
INTRODUCTION
HO TOUSETHE GUIDE
W
In the Prescriptive Guide to Achieving Operational Excellence, we bring together industry
experts in, operations, IT audit, information security, payment card industry standard and
compliance—combining their expertise with Tripwire’s experience to help you meet these
pervasive challenges. The Guide begins with a perspective on the value of creating a culture of
effective change management and concludes with a retrospect on the compliance decade.
To help you save time and quickly target the area(s) of most interest, we have focused
each section of the Guide on a specific IT challenge and provided one expert’s insight into that
challenge. At the end of each section, we offer a self-assessment checklist and tips for using
Tripwire change auditing solutions to help meet that specific challenge. This modular ap-
proach means that you don’t have to worry about missing fundamental information or related
concepts if you decide to skip sections of the Guide. Our goal is to bring you useful, actionable
information, in a straightforward format. We welcome your comments and feedback via email
at: guide@tripwire.com.
BACKGROUND
In today’s networked operating environment, all companies must be proactive in strategically
managing business and IT processes, applications, information, technology, facilities, and
security. Done properly, organizations will create a proactive and predictive enterprise-wide
culture of operational excellence that is tuned to monitor risk, detect problems, respond, rec-
oncile, report, and measure value in real-time throughout the enterprise. These companies will
be able to meet compliance requirements, release capital, and leverage their risk investments
for competitive advantage and superior business performance. Specifically, these changes will
help your company to:
• Pass audits
• Assure data integrity
• Minimize fraud losses
• Reduce unplanned work
• Reduce operational costs
• Ensure business continuity
• Increase system availability
INTRO UC N 1
D TIO
Prescriptive Guide
7. • Identify and remediate information security vulnerabilities
• Enable business executives to understand and take responsibility for the technology and
controls underpinning business processes
• Reduce the cost of compliance by eliminating redundant and duplicate compliance efforts
• Demonstrate to regulators, auditors, credit rating agencies, and customers that they are a
well-run business
• Establish a proactive and predictive operational risk management methodology against
increasingly sophisticated threats and business challenges
2 INTRO UC N
D TIO
Prescriptive Guide
8. G U I D E
P R E S C R I P T I V E
TRIPWIRE
PERSPECTIVE
The Greeks knew it long ago: you can’t step into the same river twice. Change is constant. And
their world was quite static compared to ours. Fast-forward to our century where technology
is king, and change occurs so rapidly it is difficult to manage. To keep pace with business, IT
must also continually change, sometimes in unperceivable increments, as services evolve and
underlying IT infrastructure is maintained.
IT is a structure of complex systems of
systems that must work together to deliver
Everything flows, nothing stands still.
these services. A “Service” contains an inte-
grated “Stack” of systems such as applications, - Heraclitus
databases, middleware, directory services,
operating systems, and networks. Each system
in the stack has a specific behavior and state
determined by a multitude of detailed elements such as file systems and their attributes, con-
figuration settings, users, and permissions.
This complexity means that changes in the IT infrastructure can impact every part of a
business operation, requiring IT to respond with an array of system management techniques,
tools, procedures, and policies that together help define a change management process. In
many cases these processes are based on best practices frameworks such as ITIL (the IT Infra-
structure Library).
Change must be controlled to mitigate the risks that change poses to IT’s compliance,
service quality, and security posture. National and local laws, as well as private contractual ar-
rangements, demand that organizations implement controls on their IT infrastructure.
As information management practices receive greater scrutiny within organizations of all
TRIPWIRE PERSPECTIVE
sizes, the need to systematically evaluate and enforce IT policy has become a fact of life. Now,
more than ever, change control is foundational to IT control. Without strong change controls,
companies’ experience:
• Poor audit performance due to control deficiencies;
• Service outages, unplanned work, and delayed delivery of strategic projects resulting from
unauthorized and undocumented changes;
• Increased risk and lack of assurance surrounding system security and data integrity; and
• Increased audit cost and scope.
TRIPWIREPERSPECTIVE 3
Prescriptive Guide
9. C MMO CHARACTERISTICS O HIGHPERFO
O N F RMERS
The Institute of Internal Auditors’ Global Technology Audit Guide “Change and Patch Man-
agement Controls” poses the question, “What do all high performing IT organizations have
in common?” The answer is, “They have a culture of change management that prevents and
deters unauthorized change.”
Companies that have embraced change management accrue at least three tangible benefits:
• Less than 5% of time spent in unplanned work (often referred to as “fire fighting);
• A low number of “emergency” changes; and
• A change success rate of over 99%, as defined by no resultant outages or episodes of un-
planned work following change implementation.
High performers achieve their position because they understand that change policies must
be enforced to be effective, and that change policy enforcement requires three components:
Culture, Controls, and Credibility.
Culture - A change management culture means that adhering to change policies and pro-
cesses are part of the IT organization’s DNA. This culture starts at the top with executives who
understand that unauthorized change constitutes uncontrolled business risk. They must not
only expect that policies are followed—they must inspect that policies are followed; “trust but
verify” is the mantra of top performers.
Top management must provide clear, consistent communication that sets the expectation
that change management must be followed, starting with ensuring that change policies are in
place and that they are enforced.
Controls - The key to controlling IT is to institute effective policies, then implement robust
controls to ensure all changes are auditable and authorized, and that all unauthorized changes
are investigated. Organizations with weak IT controls invariably spend higher percentages
of their resources on unplanned work, produce sub-standard operational results, and deliver
lower quality service to their customers.
Credibility - Credibility cannot be implemented – it must be earned. IT organizations achieve
credibility when they can demonstrate control of IT, and can show a history of consistent
accountability, consequences, and measurable improvement. When people circumvent the
proper procedures, they are held accountable and experience visible consequences for going
around the system.
Organizational change is never implemented without resistance. While many IT staff
TRIPWIRE PERSPECTIVE
members commonly protest that increased change controls will slow them down as they
perform their tasks, high-performing IT organizations consistently prove that implementing
good processes and controls actually increases efficiency and productivity throughout the
organization.
THE IT MATURITYPROCESS
How does one know if their IT organization is a high performer or if there is room for im-
provement in the change management process? The amount of time spent in “fire fighting” is
one of the easiest indicators to gauge this.
4 TRIPWIREPERSPECTIVE
Prescriptive Guide
10. In the average IT organization, it is common for unplanned tactical response to take sig-
nificant amounts of time away from strategic projects organizations should be implementing.
This is one of the most common problems facing IT managers today. Fortunately, it is one that
can be solved through the implementation and enforcement of effective change policies.
CHANGES CONTROL THE ORGANIZATION THE ORGANIZATION CONTROLS THE CHANGES
Continuously
Improving
Under 5% of time spent
Closed-Loop on unplanned work
Process
EFFECTIVENESS
15 – 35% of time spent
on unplanned work
Using Honor
System
35 – 50% of time spent
on unplanned work
Reactive
Over 50% of time spent
on unplanned work
LEVEL 1 LEVEL 2 LEVEL 3 LEVEL 4
Figure 1: The Four Levels of IT Maturation
Tripwire, together with the IT Process Institute (ITPI), has been studying customers and
world-class IT organizations for several years. With the twin goals of understanding the com-
monalities between top-performing IT organizations and determining the steps an organiza-
tion must take to improve their IT Service Management capabilities, we have found four levels
of capability in Change Management processes:
1. Reactive: IT groups in this first level typically spend most of their time firefighting and have
problems with poor service levels and long outage times.
At this stage, there is usually very little formal process in place, almost no systematic com-
munication about changes happening in the environment, and plenty of finger-pointing
about the cause of service interruptions.
TRIPWIRE PERSPECTIVE
2. Using the Honor System: As they begin to become dissatisfied with the thrash of life in the
Reactive mode, IT organizations typically start by implementing a defined change manage-
ment process.
At this stage they begin to document policies and practices, and start to put some technolo-
gies in place to try to guide the change authorization process. Unfortunately, at this stage,
organizations are reliant on the “Honor System” for individuals’ adherence to these new
policies and procedures. It is common for organizations at this stage to become frustrated
because they cannot systematically determine when people circumvent these new policies.
3. Using Closed-Loop Change Management: Significant performance gains are realized when
organizations implement closed-loop change management processes. Closed-Loop Change
TRIPWIREPERSPECTIVE 5
Prescriptive Guide
11. Management exists when detective controls are implemented to detect changes to produc-
tion infrastructure, and all changes are reconciled with authorizations to ensure that no
undocumented or unauthorized changes escape notice.
At this stage, there is typically a formal project (or at least strong executive sponsorship) to
fix problems with change management and to get service levels and IT costs under control.
At this level of operation, there is generally a marked improvement in service levels and a
decrease in unplanned work.
4. Continuously Improving: Once they’ve experienced the benefits of Closed-Loop Change
Management, companies begin to use their newly acquired control to pinpoint areas of
problems and inefficiency. They are then able to systematically attack and improve weak
areas, which enables continuous and ongoing improvement.
Companies at this level, while not perfect, are able to provide predictable, high quality
services in a cost-effective manner.
Organizations interested in implementing a change management program must first assess
where they currently stand, and where they wish to end up. Questions that can help determine
the present level of IT maturity include:
• What is the overall goal of the change management process?
• What percentage of their time does the IT staff spend on unplanned work?
• If something changed in the IT environment, how would anyone know?
• What is the volume of emergency changes in the IT environment?
• Is the change audit trail properly documented?
• How many failed changes have been experienced and what were their causes?
ENFORCINGACHANGE POLICY
Controlling IT depends on controlling change, which depends on enforcing change policy
with effective controls to ensure that all changes are auditable and authorized, and that all
unauthorized changes are investigated. For change policy enforcement to work on a practical
level the following requirements must be adopted:
All changes must be auditable - All changes made within the IT infrastructure must be clearly
visible and documented. IT needs to be especially aware of a high rate of change to at-risk
systems and make policy changes that will reduce or eliminate episodes of unplanned work.
Change throughout the entire service stack must be audited. A “service” contains an in-
tegrated “stack” of systems including applications, databases, middleware, directory services,
TRIPWIRE PERSPECTIVE
operating systems and networks. Each system in the stack has a specific behavior and state
determined by a multitude of detailed elements including file systems, configuration settings,
users, and permissions.
Someone other than the person (or technology) making the change must approve and re-
cord the change. This segregation of duties prevents fraudulent change recording and mistakes
made due to simple over-familiarity. Finally, a historical audit trail describing all changes,
including when they were made, and by whom, must be maintained.
Basic Control Objectives
• All devices in the production environment must be monitored for changes;
• All changes to high-risk systems (referred to as “fragile artifacts” in the Visible
Ops methodology) need to be recorded, explained, and documented;
6 TRIPWIREPERSPECTIVE
Prescriptive Guide
12. • A baseline of configuration items is kept as a check point to return to; and
• Change implementers can not authorize their own changes.
Advanced Control Objectives - Includes the above, plus:
• All changes must be tested in pre-production before being implemented in the
production environment;
• All production changes need to be recorded, explained, and documented;
• Change verification/validation should be performed after implementation;
• Emergency changes should include an adequate audit trail to allow tracking from
incident to underlying cause and back; and
• The success and failure of changes should be tracked.
All changes must be authorized - Unauthorized change is the primary cause of unplanned
work, unanticipated downtime, and business risk. Only authorized changes are acceptable. An
authorized change that corresponds to an established change policy may require that a trusted
person make the change and only during a scheduled maintenance window. It may also require
that a change exactly matches both the change previously approved in the QA environment
and an approved change ticket.
Basic Control Objectives
• All changes must be review by the Change Advisory Board (CAB).
• All devices in production must be scanned for change at pre-determined intervals.
• No changes to production assets outside the maintenance window.
• All changes must map to an authorization ticket.
Advanced Control Objectives - Includes the above, plus:
• No changes will be made to production assets except by <specific roles / people>.
• Change implementers will not authorize change requests, nor sign off on
completed changes.
• No changes to production assets by pre-production personnel.
All unauthorized change must be investigated - Unauthorized changes cannot be ignored.
They must be investigated to determine if they should be accepted or rolled back. It may be
prudent to treat high severity unauthorized changes as a security breach until proven other-
wise. Controls should be in place to make certain that unauthorized changes are resolved in a
timely manner.
Each change that is detected must be mapped to authorized work or flagged for investi-
gation. It may be a malicious act, but more often it may be a case of the right person doing
the wrong thing or mistakes made by authorized individuals. Whatever the case, a detection
TRIPWIRE PERSPECTIVE
system is necessary to implement an effective system of change controls.
Control Objectives
• All unauthorized changes must be escalated, investigated, documented and
resolved within a specified timeframe.
• No unauthorized change should remain in the environment.
TRIPWIRE FACILITA CHANGE MANAGEMENT
TES
Getting control of IT cannot be achieved by technology alone. Creating a solution to enforce
change policy involves a combination of People, Process, and Technology. Business process
owners, IT staff, Security, and Audit must all work together to enforce change policy.
TRIPWIREPERSPECTIVE 7
Prescriptive Guide
13. Controlling IT also requires expert knowledge of data, devices, and an understanding of
how change happens to help evaluate, define, and implement effective processes. This is where
Tripwire Professional Services contributes to build a change management process that will aid
in passing audits, improve service quality, and assure the integrity of the IT infrastructure.
Once the policies and processes are defined, they can be enforced with technology.
Tripwire Enterprise change auditing detects all changes, reconciles detected changes with
authorized changes to expose unauthorized change, and reports on policy exceptions. This is
important to IT management and practitioners because change control is foundational to IT
compliance, security and service quality.
Change Detection - Tripwire Enterprise is a single solution to effectively audit change across
the enterprise, giving IT the ability to audit all change. Tripwire Enterprise does this with its
breadth of infrastructure coverage, enhanced baseline controls, independence, and enterprise-
class manageability.
Tripwire Enterprise monitors the various systems that comprise the service stack plus cov-
ers the various elements contained with in each individual system operating within the service
stack. These elements include file systems and their attributes, configuration settings, users,
and permissions. Tripwire provides a single point of change control across a diverse service
stack comprised of different systems from a wide variety of vendors.
Tripwire detects change relative to a specific designated known and trusted state known as
a “baseline”. Tripwire establishes a baseline against which change is measured and provides
a secure audit trail of all changes. With Tripwire, only those users specifically granted the ap-
propriate permissions are able to promote detected changes to the “current baseline” in order
to ensure the proper baseline is maintained.
Tripwire Enterprise is independent of the myriad of administration tools used to manage
and make changes. It verifies the results of these change implementation methods to ensure all
expected changes were made and only expected changes were made.
Lastly, Tripwire Enterprise enables an organization with multiple nodes to easily manage
their infrastructure and reduce administrative burden by offering a scaleable architecture that
supports thousands of heterogeneous devices and operating environments across the service
stack. Nodes can be grouped into logical, user defined groups with configurable severity levels
to denote the relative significance of a change that can trigger different response actions.
Change Reconciliation - Typical IT environments experience thousands of changes daily and
looking for unauthorized changes is like looking for a needle in a haystack. This challenge re-
ally is best solved by technology.
Tripwire Enterprise verifies expected, authorized change and identifies unauthorized
TRIPWIRE PERSPECTIVE
change that must be investigated by enabling a variety of manual and automated techniques
to distinguish between expected and appropriate change, and unauthorized change that may
negatively impact compliance, service quality or security. This reconciliation is based on crite-
ria such as:
• Who made the change;
• When the change occurred relative to scheduled maintenance windows;
• Whether the change matches a change previously detected and approved in a QA
environment; and
• Whether the change corresponds with an approved change ticket.
8 TRIPWIREPERSPECTIVE
Prescriptive Guide
14. Tripwire’s change reconciliation is uniquely defined by its abilities to view detailed change
information, promote expected changes, integrate with change ticketing systems, and trigger
various actions upon detection of change. Such actions can include sending alerts and detail
change information via email or SNMP as well as triggering commands that can be used to run
predetermined tasks or activate third-party tools such as system backup tools.
Change Reporting - Tripwire Enterprise increases IT’s control over change by providing tools
to report on change, ensuring that all changes are authorized and all unauthorized changes are
investigated – two key elements in creating a culture of change management, the foundation of
a high performing IT organization.
Tripwire Enterprise provides timely reports and dashboards showing change status of IT
service stacks across the enterprise so that management can drill down into reports for metrics
to help them improve their process as well as providing a real-time status to help with incident
management and determine outage root causes. These reports and dashboards can be archived
for future reference in HTML, PDF, or XML format
Report linking allows organizations to quickly drill down from overview reports to more
detailed reports. For instance, a report could show the change rate of selected systems for the
past year; then could drill down into a specific quarter, and then drill down to a specific month
to view weekly change rates.
As change management processes become mature, IT organizations can use Tripwire to
further automate processes, such as reconciling detected changes with planned, expected
changes. Advanced features, when implemented, deliver even more visibility into operations
and enable IT to extend change auditing capabilities to security, compliance, and system avail-
ability initiatives.
WHYIT’SWO IT
RTH
There are numerous benefits to implementing a culture of change management with change
auditing. Most importantly, enforcing a change management process will aid in passing audits,
improve service quality, and assure the integrity of the IT infrastructure.
Change auditing makes it less demanding to meet and maintain regulatory requirements
and pass internal and external audits. Passing an audit requires sufficient assurances that busi-
ness risks are mitigated. For instance, SOX requires completeness and accuracy of financial
reporting. PCI requires protection of cardholder information. If all changes to a system can be
proven to be authorized, the costs of additional control testing for the system are minimized.
Once configured, tested, and deployed into production, IT systems will continue to operate
appropriately unless changed.
TRIPWIRE PERSPECTIVE
Change auditing can do much more than just help prove that controls are in place; it can also
increase service quality and reduce unplanned work. Reducing unplanned changes increases
availability and breaks the traditional downward spiral of unplanned work or firefighting that
consumes many IT organizations. The predictability of IT increases when service availability and
performance remains consistent and new services are deployed on time and within budget.
Lastly, strong internal change controls provide management and auditors the confidence
and supporting evidence that security measures are effective and IT systems operate with in-
tegrity. They mitigate potential risks of malicious changes and provide Security with a reliable
and unbiased view of change across an enterprise.
TRIPWIREPERSPECTIVE 9
Prescriptive Guide
15. In the 21st Century IT organization, change management is more than just a good idea; it’s
a business imperative for the IT organization that wants to fulfill its business objectives suc-
cessfully. By creating the culture, controls, and credibility of successful change management,
today’s IT organization can finally lock down change management – and realize the benefits of
being a high performing IT organization.
TRIPWIRE PERSPECTIVE
10 TRIPWIREPERSPECTIVE
Prescriptive Guide
16. G U I D E
P R E S C R I P T I V E
O TIO
PERA NAL
EXCELLENCE
IMPORTANCE FRO AMANAGEMENT PERSPECTIVE
M
Information technology systems contain the data and intellectual property that constitutes
the lifeblood of most organizations. In many cases, a system failure, security breach, or other
problem associated with a key system can have dire consequences to an organization’s ability
to attain its goals and may even result in lawsuits and regulatory enforcement actions. These
systems must be properly designed, deployed, and safeguarded to ensure that organizational
goals can be met and enterprise risks are managed to acceptable levels. If such safeguards are
not properly designed with the risks and benefits in mind, a great deal of lost costs and frustra-
tion can be added to the organization.
The design and implementation of effective controls must be integrated into the daily
processes of the organization to attain operational efficiencies. If the cost of implementing con-
trols outweighs the risk management or operational benefits, the overall control environment
will not be sustainable. There must be measurable benefits to the organization for controls to
be adopted as part of its culture. This adoption of risk management and controls into the fiber
of information technology will help shift an organization’s understanding of controls from a
point-in-time project implementation mindset to a sustainable approach embedded into day-
to-day operational processes. The need to manage risks is real.
There are several themes that will be covered in this chapter:
1. Total elimination of risk is not possible.
2. Controls must reduce risks to an acceptable level.
3. Processes must embed the controls needed to mitigate risks. OPERATIONAL EXCELLENCE
4. Regulatory compliance and security concerns are risks that will exist in perpetuity.
5. Controls must be designed into the systems and applications – not simply layered
on top.
6. An organization that is operationally excellent has a partnership relationship with
its auditors.
ENABLINGC MPLIANCE
O
Many controls yield regulatory compliance benefits and very real security and operations
benefits when designed properly. An analogy is the response of U.S. automakers to mid-1970s
regulatory requirements for emissions. Automakers responded with emissions control systems
that were layered on top of existing engine designs. As a result, horsepower, fuel efficiency, and
reliability plummeted while complexity increased. Over time, new engine designs were devel-
O TIO EX ELLENC 11
PERA NAL C E
Prescriptive Guide
17. oped that met emissions regulations while improving power, reliability, and fuel efficiency to
meet or exceed pre-regulatory levels.
Similar proactive compliance-enabling system designs are occurring today for information
technology operations. However, rather than simply layer controls on top of existing sys-
1
tems and processes, we must ensure that systems and processes internalize and adequately
support the mandated and necessary controls to cost-effectively mitigate risk and achieve
operational excellence.
O RTUNITIESTOIMPRO O TIO EFFICIENCY
PPO VE PERA NAL
Each organization faces its own risk and resource challenges. One common theme for ev-
eryone is that there will always be more risks than resources available. Investments must be
made with due care to ensure the goals of the organization are safeguarded. A study from AT
Kearney reports that management is concerned about information technology being too fix-
ated on day-to-day operations. It found that 70 percent of business executives believe technol-
ogy innovation is critical yet 80 percent of actual information technology expenditures are
spent on infrastructure and core operations. Forty-five percent of business executives strongly
agreed that technology groups were too focused on day-to-day requirements versus strategic
2
goals. The only way information technology will get out of this low productivity rut is to vig-
orously adopt process improvement and pursue defects that expose the company to risk, cause
unplanned work, and misused resources.
For any organization to be successful and for the corporate culture to truly adopt a con-
trol-rich environment, there must be strong and unwavering support from top management.
Auditors call this the “tone from the top.” Management must say and do the right things to
reinforce the need for controls to be successful.
While there are numerous elements that help create an effectively run organization, this
chapter focuses on the prudent alignment, management, and system controls that are com-
monly associated with regulatory compliance and process improvement efforts. These topics
are a good place to start when discussing your organization’s process improvement efforts.
ALIGNMENT
Proper alignment of the information technology function is crucial to support enterprise
business unit needs. Technology is an enabler for improving process productivity—but it
OPERATIONAL EXCELLENCE
must be embedded in each functional area’s goals and objectives. Information technology can
enhance productivity, simplify collaboration among employees, partners, and customers, and
aid in risk management while improving day-to-day customer service, risk management, and
compliance processes. Information technology personnel must be involved in the strategic,
operational, and tactical planning processes. Senior management must have transparency into
the progress and problems associated with the use of information technology for daily opera-
tions and management of risk within each business unit.
1 Technically, a system is a combination of people, processes and technology. For the sake of emphasis on process
design, it is called out separately here.
2 AT Kearney. “Why Today’s IT Organizations Won’t Work Tomorrow”, 2005.
http://www.atkearney.com/main.taf?p=5,3,1,111
12 O TIO EX ELLENC
PERA NAL C E
Prescriptive Guide
18. PRO MANAGEMENT
JECT
From an operations perspective, time is money. This is why project management is an impor-
tant process domain. It helps ensure that the outcomes of information technology projects
are on time, within budget, and deliver the expected outcomes. In its 3Q04 CHAOS report,
the Standish Group revealed that only 29 percent of information technology projects they
surveyed up to that point delivered on time, within budget, and with the required feature set.
Fifty-three percent of the projects were late, exceeded budget, or had a reduced feature set. The
3
remaining 18 percent outright failed. Formal project management practices must be followed
to reduce these risks.
Compliance efforts can be affected by project failures as well. Information technology busi-
ness units must be worried about a large project failure triggering a disclosure. They must also
worry about pressures associated with problem projects that cause testing, security, training,
documentation, or other needed controls to be discarded or improperly executed due to short-
age of time or budget.
RISK MANAGEMENT
Contrary to some beliefs, companies cannot eliminate all risks for two reasons. First, the
internal and external threats that create risk are very dynamic. Second, control investments
eventually result in diminishing returns. Instead of focusing time and resources on eliminating
risk, a realistic goal should be to reduce risk to a level that is acceptable to senior management
and the board.
Proactive risk management is a process that must be embedded in the organization’s cul-
ture to reap significant benefits. It can be used to constantly “tune” the control environment to
ensure that correct controls are present and mitigating risks. Without using risk data input, the
organization may have the wrong controls—or no controls—in place, which could leave the
organization exposed to significant threats, material findings, and excessive costs.
Information technology personnel and resources play an integral risk management role,
aiding in threat prevention, detection, and reconciliation. With the help of technology re-
sources, business units and senior managers can work to execute a cost-effective program that
continuously identifies, prioritizes, and manages risks.
C NTRO LA
O L YERS
All business units need to understand risk-based controls and how they should be deployed.
OPERATIONAL EXCELLENCE
Controls are processes that are implemented to reduce the variation around the attainment of
objectives and can be grouped into three broad categories of controls—preventive, detective
and corrective.
Preventive controls are intended to proactively prevent problems. Policies and procedures
are classic examples, as they are written in advance to prevent problems from happening.
Detective controls are designed to identify that an event is occurring or has occurred histori-
cally. The use of Tripwire Enterprise to scan and detect changes illustrates this type of control.
Corrective controls are intended to return a system to its last known good state. For example,
restoring a system to its stored, approved configuration image is a corrective control.
3 The Q3 2004 CHAOS Report, The Standish Group International, Inc.
http://www.standishgroup.com/sample_research/PDFpages/q3-spotlight.pdf
O TIO EX ELLENC 13
PERA NAL C E
Prescriptive Guide
19. When designing controls to proactively mitigate risks, consideration must be given to
using tiers of controls in the same manner that a castle builder uses multiple walls to protect
a fortress. Security personnel call this approach “defense in depth,” wherein layers of controls
are used to protect against known and unknown threats that can originate from inside or
outside of the organization. Controls must be risk-based.
In some cases, the use of several relatively inexpensive and simple controls may gener-
ate more reliable outcomes than one expensive or complicated control. Layered controls also
create a “safety net,” in the event that a previous control layer fails. The objective is to have
sufficient capabilities to reduce risks to an acceptable level. When auditors review controls
and determine that there has been a failure, they will look for compensating controls to offset
4
the level of deficiency. In other words, if one layer fails, they will look to see if any other
controls are present to detect or reduce the impact of the failure of the first level. If other
controls are in place, the auditor can use his or her judgment to reduce the severity of the
noted deficiency.
POLICIES ANDPROCEDURES
When designing policies and procedures for
Policies and procedures must be formally doc-
regulatory compliance and auditors, bear in
umented and reviewed with employees. With-
out documenting, communicating, enforcing, mind that auditors will need proof of compliance
and raising awareness of corporate standards, by obtaining evidence that the work was done.
security and process improvement efforts will
Engage your Internal Audit department to
not achieve the intended goals. If employees
are not aware of how to properly execute their identify what controls need to be evidenced
duties and responsibilities according to these and what means are acceptable. Based on his
standards, they will be ineffective. or her recommendations, policies and
When developing policies and procedures,
document only what can realistically be done. procedures should properly reflect
This can be accomplished by involving the evidence/documentation requirements.
process owners in the generation and mainte-
nance of the policies and procedures. More-
over, there must be triggers in the system development life cycle and change management
processes to ensure that policies and procedures are updated as the computing environment
and risk environment changes. At a minimum, they should be reviewed annually.
OPERATIONAL EXCELLENCE
TRAINING
For employees to reasonably perform their jobs, they must be educated about their duties and
responsibilities. This entails learning the organization’s culture, policies, and procedures, in
addition to learning new technology and processes. For information technology personnel to
effectively identify risks and areas for improvement, his or her skills must be current. Invest-
ments in training yield a more secure, effective, and efficient organization.
4 A control failure during an audit is deemed a “deficiency” by auditors. In the world of Sarbanes-Oxley, the level of
severity ranges from “deficiency” at the low end, to “significant deficiency” and finally to the worst one “material
weakness.” Definitions of these levels are in PCAOB Accounting Standard 2.
14 O TIO EX ELLENC
PERA NAL C E
Prescriptive Guide
20. SEGREGA NO DUTIES
TIO F
All systems have critical processes that, if subverted through human error or malicious intent,
will significantly impact the objectives they enable. No one person should have absolute con-
trol over a critical process. Instead, processes should be segregated into discrete sub-processes
that can then be assigned to parties who do not have a conflict of interest with safeguarding
the sub-process. For example, a developer should not have sufficient access to directly update
production applications. He or she should develop the application and a separate group
should test the application. Once tested, the findings should be presented to the system owner
who should review the test results and approve the application for use before it is copied into
production. Through segregation of duties, a developer cannot readily disrupt production by
mistake or intent.
CHANGE MANAGEMENT
Once a system is deployed, its integrity cannot be maintained without a prudent change
management program. Change management is a fundamental ongoing control for security,
compliance, and operational efficiency of systems and business processes. Statistics show
5
that human error accounts for 80 percent of network availability issues and 79.3 percent of
6
security incidents. Even if we assume these statistics are high and cut them in half, the human
error rate still represents a significant percentage of incidents. Effective change management is
the most important process improvement area to manage risks and improve efficiency.
7
As the number of uncontrolled changes increases, so do problematic changes —those
that result in incidents, which then result in unplanned work, or “firefighting.” Firefighting
wastes resources that could otherwise be dedicated to operational improvement and
organizational goals.
The solution is to implement formal change management processes that formalize and
standardize change requests, review, approval, development, testing, and implementation.
To enforce change management policies and detect changes that occur, a change auditing
solution such as Tripwire, can be used. By detecting, reporting, and including the ability to
reconcile changes, the IT organization can enforce zero tolerance for unauthorized changes
and substantiate processes for handling changes.
In order to manage risks and gain operational efficiencies, the change success rate—
the changes that can be implemented according to plan and within the allotted timeframe—
must improve. The Institute of Internal Auditors identifies five ways to reduce change
management risk:
OPERATIONAL EXCELLENCE
1. Establish a strong tone from the top that stresses the need for change management and
zero tolerance for unauthorized changes.
2. Continuously monitor for unplanned outages. Decreased unplanned outages indicate ef-
fective change management.
3. Work with the business to identify when the systems can afford to be down for mainte-
nance and limit changes to those defined periods. For example, from 2a.m. to 7a.m.
on Sunday.
5 Stephen Elliott, Senior Analyst, Network and Service Management. IDC, 2004.
6 Comp TIA, 2005.
http://www.comptia.org/about/pressroom/get_pr.aspx?prid=611
7 Here, “problem change” refers to both failed changes that do not install according to plan and to changes that install
according to plan but are flawed and result in incident and problem management activity.
O TIO EX ELLENC 15
PERA NAL C E
Prescriptive Guide
21. 4. Use the change success rate metric as a key indicator. Unmanaged change environments
typically see change success rates near 30 percent. The organization must recognize that
failures represent risks to availability, security, compliance, and more.
5. Measure and report all resource commitments that are allocated to unplanned work. This
is another indicator of the effectiveness of the change management environment. A high-
performing IT organization spends less than 5 percent of its time on unplanned work,
8
compared to the average IT organization that spends 45-55 percent.
INTEGRA CHANGE MANAGEMENTTOINCIDENT ANDPRO
TE BLEMMANAGEMENT
One of the first questions that should be asked when a system-related issue arises is “what
changed?” A great deal of the time is spent trying to track down people to find out if they are
aware of any changes to the system. Such ad hoc discovery activity increases the Mean Time
To Repair (MTTR) and decreases the availability of systems and valuable resources. Alterna-
tively, if data from the change auditing system is shared with incident and problem manage-
ment teams, you can immediately identify what changed and begin tracking down why. This
9
will dramatically drive down the MTTR and improve availability.
Another method that will enhance change and incident management capabilities is the
use of standardized and repeatable builds. The goal is to reduce configuration variations in
production and have as few builds as possible. Once standard builds are in place, the change
auditing system should be used to routinely verify that builds are not “drifting” from their
standard baseline. You want to monitor the builds in production to ensure that unauthorized
changes are not made.
As change and configuration management processes mature, it also becomes possible to
gain efficiencies through the use of repeatable builds. The goal is to make it faster and cheaper
to simply restore a build or image, than to try and determine why a previously reliable build
is having problems. The stored builds and the production environments must mirror one an-
other. This is managed through policies and procedures and the use of an automated change
auditing application like Tripwire Enterprise.
NETWO MO RING
RK NITO
As information technology and networks are pervasive and mission-critical, they must be
more scrupulously monitored to detect performance anomalies and threats. High traffic
OPERATIONAL EXCELLENCE
volumes are also associated with higher threat levels, making automated network monitor-
ing, alerting, and response indispensable. Automated monitoring improves system security,
performance, and availability by allowing management by fact. Automation also frees the IT
team to focus on exceptions, which in turn simplifies managing large amounts of event data.
LOGICAL ACCESS C NTRO
O LS
All access to systems and data must be limited on a need-to-know basis. As job descriptions
are understood, system roles must be documented and excess permissions removed. This
reduces the potential for unauthorized persons to overstep their roles and make malicious or
8 Jay Taylor, Julia H. Allen, Glenn L. Hyatt and Gene H. Kim. “Change and Patch Management Controls: Critical for
Organizational Success.” The Institute of Internal Auditors. 2005.
http://www.theiia.org/index.cfm?doc_id=5167
9 More information is online at http://www.itpi.org/visibleops.
16 O TIO EX ELLENC
PERA NAL C E
Prescriptive Guide
22. erroneous changes. For example, only a few qualified individuals should have system admin-
istrator privileges. System roles and privileges must be routinely audited to ensure
employees comply with intended use policies and that privileges are not altered without
proper authority.
PHYSICAL ACCESS C NTRO
O LS
Once a person gains physical access to a host, he or she can gain control of the host. To guard
against malicious acts and unintentional accidents, access to data centers, wiring closets,
server closets, and other centers of information, activity should be limited to those individuals
with a business need. Ideally, door locks should be digital with an audit log that can be rou-
tinely reviewed by security personnel. At the same time, all access to the data center should be
recorded on a log sheet with the date, time, name, and reason. The access log should corre-
late with the door lock log. All visitors, including vendors, guests and contractors, should be
escorted at all times. There are many different access controls available and the organization
should select and implement them such that the level of residual risk is acceptable to manage-
ment.
BUSINESS C NTINUITYPLANNINGANDDISASTER REC VERY
O O
The job of disaster recovery (DR) is to recover an asset or process from a disaster. Business
continuity planning (BCP) on the other hand, is tasked with ensuring the organization’s func-
tioning after the occurrence of one or more risk events. By pre-planning response to business-
disrupting events, organizations can respond with relative ease. For example, changing from
primary to backup systems can happen with virtually no impact to the business. If the risks of
power failure are significant enough, the BCP plan will include the installation of appropriate-
ly sized uninterruptible power supplies and generators. When the power does fail, the systems
remain online supporting the business.
Each organization must define its own acceptable, risk-based level of fault tolerance. The
level of investment in BCP and DR systems must be commensurate with the risks to the orga-
nization. For example, if a data center averages power outages of a few seconds each hour on
an average of 3-4 times per year and the systems are not essential, then a generator may not be
needed. On the other hand, even though the historical outage frequency is low, if the systems
are mission-critical, even the threat of an outage lasting longer than the life of the UPS batter-
ies may warrant a generator with the appropriate capacity. The probability of the risk and the
impact to the organization must drive the investment.
OPERATIONAL EXCELLENCE
AUDIT
Operationally excellent IT organizations have a partnership relationship with their auditors
that create new value for the organization. Auditors provide at least three benefits that enable
organizations to identify and design the necessary risk-based controls to ensure IT continuity.
Audit can:
1. Verify that employees are following established policies and procedures.
2. Provide an opportunity for a third party to review activities and make impartial
recommendations.
3. Provide opinions about the regulatory environment, the direction of the firm’s audit
department and, if applicable, expectations from external auditors.
O TIO EX ELLENC 17
PERA NAL C E
Prescriptive Guide
23. IT AUDIT
In addition to meeting unrelenting demands for increased efficiency, technology must also
address the challenges of security, regulatory compliance, and enable many business goals and
objectives. Operational excellence
provides the means to contribute to the organization’s success.
Within the realm of technology operations, repeatable and reliable information technol-
ogy management processes are vital to success. A growing body of research is confirming that
operations and information security are closely
linked—that is, best-in-class technology opera-
For more information on how to begin a process tions also deliver best-in-class security.
Based on a variety of research efforts, the
improvement journey by holistically addressing
Information Technology Process Institute
change, release, configuration, incident and (ITPI) produced the landmark guidance paper
problem management, be sure to read the IT “The Visible Ops Handbook: Implementing
ITIL in 4 Practical and Auditable Steps” (www.
Process Institute’s “The Visible Ops Handbook:
itpi.org). This handbook provides succinct
Implementing ITIL in 4 Practical and Auditable guidance on implementing ITIL in four practi-
Steps.” It is comprised of three focused projects cal and auditable steps. Its conclusions indicate
followed by a continual improvement process. that technology operations need to focus on
process improvement, work closely with secu-
More information is online at: rity (to deliver requirements), and operate in a
http://www.itpi.org/visibleops. “repeatable” and controlled manner. Research
indicates that inappropriate changes to produc-
tion operations are one of the highest informa-
tion technology risks facing an organization.
All changes to production must be authorized, tested prior to implementation, and auditable.
The Institute of Internal Auditors (IIA) has also produced guidance regarding the critical
issue of Patch and Change Management. “Change and Patch Management Controls: Criti-
cal for Organizational Success” is part of The IIA’s long-term initiative to develop global
technology audit guidance (GTAG – www.theiia.org/technology). This guide helps chief audit
executives (CAEs) counsel their peers and staff on IT governance for effectively manag-
ing technology risk. Based on the IIA’s research, the top five risk indicators of poor change
management are:
OPERATIONAL EXCELLENCE
1. Unauthorized changes (any number above zero is unacceptable).
2. Unplanned outages.
3. Low change success rates.
4. High number of emergency changes.
5. Delayed project implementations.
Stable, well-managed production environments require that implemented changes be predict-
able and repeatable and that they follow a controlled process that is defined, monitored, and
enforced. The necessary controls to achieve this are analogous to the controls used in financial
processes to reduce the risk of fraud and errors—segregation of duty controls and supervisory
controls. High-performing organizations have reached this same conclusion, further support-
ed by the extensive work performed by ITPI, the Software Engineering Institute (http://www.
sei.cmu.edu/), and others.
18 O TIO EX ELLENC
PERA NAL C E
Prescriptive Guide
24. C MMO CHARACTERISTICS O HIGH-PERFO
O N F RMINGORGANIZA NS
TIO
Extensive research by SEI, ITPI, IIA, and others has shown that high-performing organiza-
tions share the following operational characteristics:
• High service levels and availability—mea-
sured by mean time between failures
Two quotes by W. Edwards Deming are particularly
(MTBF) and mean time to repair (MTTR).
• High throughput of effective change— sus- relevant to Operations: “If you can’t describe
taining change success rates of over 99 what you are doing as a process, you don’t
percent.
know what you are doing” and “It is not enough
• Greater investment early in the information
technology lifecycle—as measured by staff to do your best; you must know what to do and
deployed on non-operational and pre-pro- then do your best.”
duction activities.
• Early and consistent process integration be-
tween information technology operations and security—integrating security into require-
ments rather than adding it afterward.
• Posture of compliance—a trusted relationship among all stakeholders.
• Collaborative working relationship between functions—working together to solve
common objectives.
• Low amount of unplanned work—spending less than five percent of their time on
unscheduled activities.
• Server to system administrator ratios greater than 100:1—in addition to being highly
effective, high-performing operations are also highly efficient.
The audit committee and the board want to ensure that management has identified and as-
sessed risks that could affect the achievement of organizational objectives. Internal auditors
can serve as the eyes and ears of management and the board, seeking out areas of improve-
ment. The importance of an effective patch and change management process to a stable IT
environment and overall operational excellence cannot be overstated.
For most organizations, any breakdown in IT systems can bring business to a halt. As a
result, attention to operational excellence is critical to prevent major business losses and po-
tential stock price declines with consequent loss of market capitalization. IT operations must
ensure reliable IT systems, and to be successful, they must be supported by management, and
monitored and evaluated by internal audit functions. Tripwire encourages management to
perform periodic self-assessments of its change and patch management practices.
OPERATIONAL EXCELLENCE
O TIO EX ELLENC 19
PERA NAL C E
Prescriptive Guide
25. CHANGE ANDPA MANAGEMENT SELF ASSESSMENT CHECKLIST
TCH
Questions Rate Your Company’s Ops Readiness
Needs
Yes/Sometimes No/Rarely Improvement
1. Do you believe the organization has an effective change management process?
- Is the process mature?
2. Does your organization exceed an acceptable number of unauthorized changes?
3. Is your tolerance level for unauthorized changes established and clearly
communicated?
- Is it improving?
4. Are the controls within your change management program comprehensive and
effective?
- Do they reflect the need for preventive, detective, and corrective controls?
5. Has the organization seen benefits from the change management process and
efforts to make it best-in-class?
6. During your last major outage, did you exceed your unauthorized change level?
- Does this reflect fundamental weaknesses?
7. Are your problem solving processes robust? – (Re: Operational Problems)
8. Is the overall health of your IT operations monitored?
9. Is the goal of your change management processes to provide a secure and stable
IT Operations?
10. Is the organization’s patching process disruptive?
11. Do you have a percentage of change requests established?
- Is this level appropriate?
12. Are the development, testing, quality assurance, and production environments
adequately segregated?
13. In practice, do you perform quality system testing prior to implementation?
- Are you improving these processes?
OPERATIONAL EXCELLENCE
14. Is the emergency change management process robust?
15. Do you have an appropriate level of compliance testing? – (to confirm all
changes are approved)
16. Is the change success rate as a percent of total changes acceptable?
17. Is the current percentage of the IT budget used to fund operations appropriate?
18. Is the percentage of the budget for operations used to fund unplanned work excessive?
20 O TIO EX ELLENC
PERA NAL C E
Prescriptive Guide
26. HO TRIPWIRE HELPS O
W RGANIZA NS ACHIEVE HIGH-PERFO
TIO RMANCE O TIO
PERA NS
The purpose of improving IT operations is to ensure that critical business services are
always available to an organization’s employees, partners, and customers. As enterprise IT
infrastructures have become highly complex, any unplanned change to even one network
element can result in costly consequences. When an IT organization is able to detect change
across the enterprise infrastructure, it has taken a significant step to achieving high-perfor-
mance processes.
Many IT organizations currently devote 35 percent of their time to handling unplanned
work. Unplanned outages and repairs create internal chaos, result in long mean times to re-
pair, raise IT costs, and delay delivery of new services. In contrast, high-performing organiza-
tions experience only five to ten percent unplanned work.
Tripwire change auditing solutions institute independent change detection capabilities. As
a fundamental component of well-defined change and configuration management programs,
Tripwire provides visibility into changes occurring on file servers, middleware, desktops, net-
work devices, and directory servers across the enterprise.
A Best Practice. Tripwire is a recognized leader in change monitoring and auditing solutions.
Tripwire change audit data can be integrated with management consoles and reporting pack-
ages such as Remedy AR System, HP OpenView, and similar systems, for a comprehensive
view of change across the infrastructure.
Document and Implement Preventative Controls. Tripwire validates that all changes to in-
frastructure elements are tracked, synchronized with documentation, and applied consistently
across the appropriate systems.
Avoid Moving Targets. Tripwire ensures that no changes are made to infrastructure while
staff is inventorying assets, mapping services, calculating change rates and change success
rates, and determining typical MTTR. With Tripwire software, you can avoid “moving targets”
as you establish a known good baseline database for all production assets.
Enforce Change Management Policies. Tripwire alerts you to change and it becomes a vital
tool for enforcing change management policies and processes. Nothing can change without
you knowing what, when, and who. Tripwire assures that no changes are made outside of
maintenance windows and all changes can be mapped to authorized work orders.
Accelerate Network Troubleshooting. Tripwire immediately notifies designated staff mem-
bers of changes that occur, enabling them to pinpoint the change and determine its potential
impact. Organizations that have integrated Tripwire change auditing software into change
OPERATIONAL EXCELLENCE
management processes have reduced mean time to repair (MTTR) significantly. If the change
is not desired, Tripwire software enables rapid restoration of files to a known good state. Trip-
wire can also automatically direct third-party tools to restore systems to their expected state.
Integration with Change Management Processes. Reconciliation capabilities enable you to
quickly align detected changes with change approval and release management processes. Many
organizations integrate Tripwire change auditing solutions with trouble ticketing and mainte-
nance systems to close the loop on change management.
Verify Desired Changes. Detecting unwanted change is only half the battle. The other half is
verifying that changes you want to occur, actually do occur. Tripwire also verifies that autho-
O TIO EX ELLENC 21
PERA NAL C E
Prescriptive Guide
27. rized changes were successfully made, provides documentation of planned changes, and stores
“before and after” system snapshots. Assuring that patches or new configurations are rolled
out correctly is now as simple as viewing the changes reported by Tripwire.
Reporting. Independent reporting of changes enables you to provide auditors with verifiable
logs, document compliance, accelerate troubleshooting, determine corrective action,
and enforce change management policies. Detailed reports and audit logs of every change
are provided.
Security. Tripwire monitors the configuration, applications, and underlying operating
systems of security software and devices to detect and report change. In this way, Tripwire pro-
vides independent validation that security applications and their configurations have not been
compromised or changed without authorization. Tripwire also monitors and cryptographically
protects its own files to protect itself from compromise.
OPERATIONAL EXCELLENCE
22 O TIO EX ELLENC
PERA NAL C E
Prescriptive Guide
28. G U I D E
P R E S C R I P T I V E
IT AUDIT
IMPORTANCE FRO AMANAGEMENT PERSPECTIVE
M
Continuous and proactive risk assessments and risk management is quickly becoming the
norm. Auditing is management’s tool to make sure the entire organization has the resources,
systems, and processes for delivering efficient, effective, and secure operations. Audits also
are designed to identify key goals, issues, and challenges facing an organization and evaluate
its progress against important initiatives. In leading organizations, internal auditors provide
independent assurance to key stakeholders while identifying any areas for improvement that
management should consider.
For each organization there are different goals and objectives, and certainly different issues
and challenges. Therefore, there is no one-size-fits-all audit process, nor one audit approach
that fits all situations. There are, however, some common and strategic audit-focused questions
that must be addressed in most organizations:
• Is your organization addressing regulatory compliance requirements adequately?
• Is your organization investing in operational excellence?
• Has continuous improvement been studied for applicability and implemented in some
form in your IT function? In your various business units? In audit?
• Do your governance and risk management practices reflect today’s operating climate?
• Is your performance meeting the needs of your customers and potential future customers?
• Is your management forward looking? Or are they just investing in solving past problems?
In general, a proactive technology function, compliance function, business unit, and man-
agement team will study and learn the strategic direction of the organization and implement
plans to contribute to the achievement of the organizational goals. A proactive internal audit
function assesses the plans of management to achieve the long term strategic direction of the
organization. Therefore, in preparing for audits, management needs to define and implement
plans to meet the long-term goals of the organization and continually communicate progress
toward the stated goals with the auditors.
An effective internal audit activity understands the organization, its culture, operations,
and risk profile. This makes audit a valuable resource for management, the board, and its
designated audit committee. The objectivity, skills, and knowledge of competent internal audi-
tors can significantly add value to an organization’s internal control, risk management, and
governance processes.
IT AUDIT
Internal auditors need to take a risk-based approach in planning information technology
audit activities. With limited resources, auditors must focus on the highest-risk project areas
ITA IT 23
UD
Prescriptive Guide
29. and add value to the organization. Audit best practices also suggest internal auditors should be
involved throughout a project’s life cycle, not just in post-implementation evaluations.
ENABLINGC MPLIANCE
O
Compliance ensures that an organization’s governance processes are effective and its primary
risks are being managed. Compliance is founded on effective controls— those structures, ac-
tivities, processes, and systems that help management effectively mitigate risk. A dedicated, in-
dependent, and effective internal audit brings
a systematic, disciplined approach to assessing
the effectiveness of internal controls and risk
management processes. Because internal audi- The internal audit’s assurance role supports
tors are experts in understanding organiza- senior management, the audit committee and
tional risks and the internal controls available board of directors, and other stakeholders by
to mitigate these risks, they assist management
in understanding these topics and provide rec- providing independent opinions on various
ommendations for improvements. At the same technology efforts and activities (i.e., to
time, data gathered from an audit can also help improve the organization’s operations and
an organization improve its operations across
help achieve its goals and objectives).
the enterprise.
A formal audit or even a series of audits
by internal audit provides management and
the board with an increased level of assurance that compliance efforts are meeting the needs
of the organization. Each audit presents an opportunity to promote the sharing of lessons
learned and best practices with all of the stakeholders involved in compliance efforts.
As detailed in the Compliance chapter of this guide, an organization needs an effec-
tive audit program to protect against regulatory and reputation risk. The Compliance
self-assessment audit questionnaire provides an approach to assess your current baseline
for compliance.
O RTUNITIESTOIMPRO O TINGEFFICIENCIES
PPO VE PERA
The internal audit plan provides a roadmap for internal auditors to assess the organization’s
operations systematically. The audit plan is based on internal audit’s on-going risk assessment
of the organization. Technology initiatives and processes that should have some level of audit
involvement include:
• Most major system application initiatives—typically involves major operational change
and supports organizational goals.
• Any significant changes to the technology infrastructure—involves key aspects of reliabil-
ity and security.
• Patch and change management processes—involves control of all organizational change
and contributes greatly to the reliability of technology operations and security.
• Information security efforts—as a primary element of information protection.
• Important technology management processes, such as the system development life
cycle—supports and encourages the continuous improvement of information technology.
IT AUDIT
• Disaster recovery and business continuity program efforts—protects organizations long-
term survivability.
24 ITA IT
UD
Prescriptive Guide