| |
 | | http://www.securitymanager.net/magazine/article_1431_interview_tripwire_it-controls.html |
Today, IT investments hold the key for companies who must stay nimble and competitive in an environment of constant change. The tougher competitive landscape has forced companies to embrace IT best practices, achieve better visibility within their infrastructure, and keep increasingly complex systems running on a 24/7 basis, supporting a global market, while cutting costs.
As executives focus on the most effective use of corporate resources, it is important for them to examine how IT can become a lever for competitive advantage.
To meet these challenges, IT must use its resources as efficiently as possible. Yet many IT departments, in particular low performers, spend 50% or more of their time and resources troubleshooting unforeseen problems and fighting unexpected fires, thereby crippling their ability to implement strategic initiatives. Why? To a large extent, it’s because they have failed to master change.
SECURITYMANAGER: Why is controlling change so critical?
PAUL GOSTICK, TRIPWIRE: Configuration items must be controlled to mitigate the risks that change to them pose to IT compliance, service quality, and security. As much as 80% of system failures and compromises are due to internal rather than external events. Change is central to these events – whether accidental or malicious in nature. These internal threats are a significant issue for every organisation, causing not only serious system compromise but also increasing the dangers of critical non-compliance.
Preventive controls are not enough, you also need detective controls and the ability to reconcile all changes, both authorised and unauthorised.
As information management practices receive greater scrutiny within organisations of all sizes, the need to evaluate and enforce IT policy systematically has become a fact of life. Strong internal change controls provide management and auditors with the confidence and supporting evidence that their security measures are effective and their IT systems operate with integrity.
IT change management and operational stability go hand in hand. Stable business operations - and, ultimately, business continuity - rely on the ability to manage change effectively across an enterprise infrastructure. Change management, in turn, can only occur when IT managers can recognise when change occurs and verify that it is both authorised and purposeful. Unauthorised change is a key contributor to unplanned work, fire fighting caused by system downtime, and security and compliance issues.
SECURITYMANAGER. What is ‘unplanned work’ and how does it affect an organisation?
PAUL GOSTICK, TRIPWIRE. This is any activity within the IT organisation that cannot be mapped to an authorised project, procedure or change request – in other words, firefighting. Any service interruption, failed change, emergency change, or patch or security incident creates unplanned work.
The percentage of time spent on unplanned work is a remarkably accurate indicator and predictor of IT effectiveness. In fact, research by the IT Process Institute (ITPI) and Tripwire shows that there is a group of high performing IT organisations that spend less than 5% of their time on urgent and unplanned work also usually have extremely high levels of operational excellence, compliance and security, together with a good working relationship with auditors.
SECURITYMANAGER. What is a high performing IT organisation and how do you know if your company has one?
PAUL GOSTICK, TRIPWIRE. Over the past six years, there has been significant progress in establishing a causal relationship between key IT controls and IT effectiveness. Research in this area has been spearheaded by the ITPI, a non-profit entity whose mission is to study IT organisations and evangelise best-known methods.
Through its work, the ITPI found that high performing organisations spent 30-40% less on unplanned work, spent less than half the effort on compliance, achieved twice as much with every security dollar spent, and had four times the server to system administrator ratio, when compared to the average IT organisation. The high performers had eight times more projects and services and six times more applications – demonstrating a significant contribution to business value.
The key differentiator between medium and high performers is the ability to manage change effectively. Indeed, while 93% of high performers monitor systems for unauthorised change, this task is only carried out by 21% of medium performers.
Furthermore the high performers are using this monitoring to enforce change control, with 83% having defined consequences for unauthorised change. Only 32% of medium performers have taken that step – and without tools to police the change process, enforcing the policy is difficult.
Low performers, in comparison, spend 50% or more of their time and resources firefighting and troubleshooting unforeseen problems. This consumes resources and severely restricts their ability to implement strategic initiatives and plan for the future.
Whilst in most industries top performers are, on average, two to three times more efficient than the rest, the top IT operations were up to fifteen times better – more than an ‘order of magnitude’ thus highlighting the significant difference in performance.
SECURITYMANAGER. How can my company become an order of magnitude better than the competition?
PAUL GOSTICK, TRIPWIRE: ITPI research has found that all high performing IT organisations have one thing in common: a culture of change management that prevents and deters unauthorised IT change. Among high performers, the key to simultaneously increasing efficiency and effectiveness was holding people accountable and properly implementing controls centred on IT change. Essentially, high performers focus on how work should be done in the organisation, designate who is allowed to do that work, and hold people accountable to ensure that changes only happen within their organisation’s policies. The outcome of this is that high performers deliver the lowest IT expenditure per employee ratio and spend upwards of 90% of their time on strategic projects, not unplanned work.
SECURITYMANAGER. What should I look for to know if I’m effectively managing IT change?
PAUL GOSTICK, TRIPWIRE: The easiest way to gauge the effectiveness of your change management process is to ask the question ‘What happens if someone makes a change without going through the proper procedures?’ How would you know, and how long would it take to find out? Are there detective measures in place to alert management? Are people held accountable for going around the system?
In all truth, despite the benefits of effective change management and the necessity to audit change to your system configurations, companies continue to fail in this area. In fact, half of all IT audit deficiencies are change related. Why? Because many IT organisations confuse the existence of a process with the effectiveness of a process.
Unfortunately, many IT organisations simply cannot identify the differences between effective and ineffective change management. Yet, successful change auditing processes lead to effective change management, which drives IT and business health.
SECURITYMANAGER. So what exactly is configuration audit and control and why is it necessary?
PAUL GOSTICK, TRIPWIRE. Unauthorised change is the primary cause of unplanned work, unanticipated downtime and business risk. So much so that auditors are now demanding proof of independent configuration audit and control.
A recently branded market area by Gartner, configuration audit and control reconciles detected changes against tested, authorised changes and provides alerts when change is unauthorised. It objectively reports all change activity, enabling IT to prove the effectiveness of their controls and closes the loop on the change management process. With configuration audit and control capabilities in place, security and compliance processes can be enforced and any attempts to circumvent them will be identified.
When combined with a change approval process that allows only approved and tested changes to be implemented, configuration audit and control increases the availability of information systems, enhances security and maximises confidence in IT by demonstrating that only authorised and intended changes have been made to the production environment. Configuration audit and control increase operational efficiency and reduce organizational risk.
SECURITYMANAGER. Where do companies implementing configuration audit and control see the ROI come from, and are there other, less quantifiable benefits?
PAUL GOSTICK, TRIPWIRE. Because configuration audit and control solutions, such as those offered by Tripwire, go beyond basic change and configuration management tools to provide independent detective controls, they enable enterprises to reduce operational risk and gain control over IT systems. They also deliver the objective reporting needed to monitor the security of systems, gain visibility across the enterprise, increase the availability of critical IT infrastructure and provide the proof to satisfy compliance and security audit requirements.
By auditing all change across the network, Tripwire ensures the integrity of IT infrastructure – meeting today’s strict demands for accountability and security of information. Unplanned work is reduced which lowers costs and allows more time to focus on planned and strategic projects to give the organisation a competitive advantage.
As organisations look to IT to enable the changes that let them stay nimble and competitive, IT can no longer afford to implement changes in ways that disrupt systems and cause downtime. With the right change management culture, controls and technologies, such as Tripwire Enterprise, IT can become a key enabler of change.
SECURITYMANAGER. Where do I start to implement configuration audit, control, and effective change management?
PAUL GOSTICK, TRIPWIRE: To move from “good to great,” the IT Controls Performance Survey confirms that the first step is to create a culture of change control and a culture of causality - meaning that there is a focus on analysing the impact of IT changes, both before and after they occur.
Begin by establishing ‘tone at the top’ of the organisation that unauthorised change is not acceptable and that all IT change must follow the change management policy. To be successful at this foundational step, a policy of zero tolerance for unauthorised change must be established and promoted – clearly and consistently – by executive management, with concrete consequences for violating process and policy.
Next, create a written change management policy that establishes “guard rails” for a culture of change management; requiring post-incident reviews to instil a culture of learning so that the organisation reduces the likelihood of repeated mistakes.
Having defined the change management policy and specific consequences for circumventing it, you must gain visibility of all change, (not just authorised change) in order to gain full control over it. Use automated controls that negate the need for constant human vigilance, reducing the risk of human error and staff expense to manage the process.
Implement technology to support the process and make it easy for people to do the right thing. Finally, reduce access and the opportunity for employees to make changes “on a whim.”
Without a methodology or culture for controlling change, unauthorised changes will destroy the IT organisation. By not controlling change, the organisation sets in motion a downward spiral that produces unplanned work, poor service quality, high mean time to repair, poor security, and poor compliance posture. By implementing effective change management processes and creating a culture of causality, any IT organisation can begin the process of creating an effective, high performing IT organisation that contributes significantly to business success.
Interviewpartner: Paul Gostick
Published: 05/2007
Author: Redaktion
| |
| |
| |
© 1999-2010 | |
| |
