Automating Change Management for Security, Compliance, Stability and Sanity!

WHITEPAPER
Automating Change Management for Security,
Compliance, Stability, and Sanity
Alex BakmanFounder and Chairman Ecora SoftwareThis whitepaper will review all aspects of change management and present concrete steps you can use to take control of change in yourenvironment.
The Implications of ChangeAll IT systems are in a constant state of flux, with changes taking place minute by minute. Right now, for example, it is likely that, on your ownIT system, someone is installing an application or patch, changing a configuration setting, adding a new user, rolling out a new desktop, ormaking some other type of change. And even a simple change can greatly impact systems, servers, and applications. When any change occurs, the infrastructure moves from a "known" state-where systems are secure and operating effectively-to an"unknown" state where it is impossible to be confident that everything is as intended. In fact, any change can have a number of implications,which can impact on everything from operational efficiency, risk management, and business continuity to security, systems integrity, andregulatory compliance. This occurs because each component and setting in the IT environment is dependent on other components or settings, and every new device orapplication adds additional settings and new dependencies. This level of complexity makes controlling change more and more challenging. Let me give you a simple example. An Ecora Software customer had a problem with their Exchange server, so their email wasn't operating.They tried one thing after another to get the server up and running without any success. In the end, the administrator re-installed everything sothat the Exchange server-and email-was working again. Everybody was happy, until a security breach was identified several weeks later.You see, when the administrator did the install, he forgot about re-installing the service packs, which had patched some major securityproblems. According to Gartner, eight of every ten incidents of unscheduled downtime can be traced to change, and in this case, as in so many others,the problem can be traced to a change.
The Evolution of IT Compliance and Best PracticesAlmost every organization deals with regulatory compliance requirements on some level, and it is no longer acceptable to be compliant just foran audit alone. With requirements increasing, expectations for continuous compliance are growing. Financial institutions, for example, may be audited severaltimes each quarter by different regulatory agencies, which necessitates a state of constant readiness-and makes it essential that IT staffmembers are not tied up in "fire drill mode." These organizations have made compliance a standard procedure so there is no need to "getready" for an audit. Best business practices are being integrated into daily IT service delivery, controls are in place, and solid reports areavailable so that these organizations are always ready for an audit. Change management is at the heart of every regulatory standard. If an organization is not controlling what's changing in the IT infrastructure,the risk of security exposure is great. Unfortunately, many organizations don't consider the relationship between change management andsecurity, and, particularly, the threat that can come from uncontrolled changes made by employees within the organization itself. How can this type of security issue be discoveredand controlled? There are literally thousands ofconfiguration settings-including access control lists,credentials, permissions, password aging, patches,etc.-that control security. All applications haveaccess controls, for example, and if an organizationis not monitoring changes to access controls, it can'tbe completely secure. Similarly, if an organizationdoesn't control credentials, there is no way to knowwhich unauthorized personnel (or former personnel)may still have access to critical systems. Best practicesin configuration and change management lead to amore secure enterprise computing environment. Regardless of how change management processesare created or which tools are deployed for changemanagement, an organization must control the "what"or "what's changing," the "how" or "how will it bedone," the "who" or "who is making the change" forany changes to content, settings, and applications.This is particularly true for those organizations wherecompliance is a concern.
2WHITEPAPER
Preparing for-... [download for more]