Introduction to Change

Size: px

Start display at page:

Download "Introduction to Change"

Crystal McLaughlin
8 years ago
Views:

1 Introduction to Management and SDLC Steve Owyoung Sr. Manager KPMG LLP, IT Advisory Doug Mohrland Audit Manager Oracle Corporation

2 Discussiontopics o significance o o s o o o o Software (SDLC)

3 s Organization

4 s Total fraud losses in the United States estimated to be $99 billion in 008 Of all the computer crimes reported: Computer fraud % 8% % % % Others Application Programmers Clerical Users Occupation Students Manager s 7% -90% computer crime committed by former or current employees (knowledgeable insiders)

Application Programmers Clerical Users Occupation Students Manager s 7%

5 s Why Management it is significant because it helps an organization to be efficient Adapting to Controlling Effecting change change change

6 s changes s in Physical Control Network Equipment Internet

7 s Planned/routine maintenance changes procedure and s s 7

8 s Emergency/System Recovery change procedure and s s CHANGE REQUESTOR Request a change (complete an Emergency Request Form) EMERGENCY CHANGES The change requestor solicits approval (verbal is acceptable) SYSTEM RECOVERY The support staff immediately respond and start resolving the issue Approved by or by the staff managing the systems? No The staff managing the systems perform professional judjment and make a decision whether to proceed or cancel the emergency change Yes Test required? Yes Perform testing (test ) No Yes No Yes Test passed? Notify all the constituents before implementation Implement change into The changes and the back out plans should be documented in the Request Form for later review Perform post implementation monitoring 8

No The staff managing the systems perform professional judjment and make a decision whether to proceed or cancel the emergency change Yes Test required?

9 s s o Financial loss Brand/reputational damage Losing a customer/ business o Legal exposure (sensitive data disclosure) o Unplanned, unauthorized and undocumented changes o Prone to system attack / outages (DoS) o Misuse of resources (unplanned work) 9

disclosure) o Unplanned, unauthorized and undocumented changes

10 s o Prevention Restrict logical access Firewall, IDS, OS and Application Unnecessary services Disable at the servers Block by the firewalls Restrict physical access Restrict physical access that houses critical systems to ONLY authorized employees Perform periodic physical access reviews 0

Restrict physical access Restrict physical access that houses critical

11 s o Detection Monitor metadata and look for changes Create, store and monitor baseline metadata values Metadata values: modification time, file size and cryptographic checksum Management Software Reads files or directories to monitor critical network configuration, data files, customer database files, documents and spreadsheets Takes action when a violation (change) occurs Intrusion detection (IDS)

Reads files or directories to monitor critical network configuration, data files, customer database

12 s o Recovery Maintain a backup copy of the data Identify changes based on the Management Software report Determine whether a change is authorized or not Restore a file if the change is deemed unauthorized or malicious

report Determine whether a change is authorized or not

13 s o policy, procedure and standards o request o Approval process o Deployment o result o Monitor application and networks

14 s policy, procedure and standards o Prioritize/categorize changes based on downtime, lead time, type of services and severity of the change (Low, Medium, High Urgent) o Roles and responsibilities Define and designate qualified personnel s roles Segregation of duties (SOD) Communication Enforce change- process

Medium, High Urgent) o Roles and responsibilities Define and designate

15 s Request Management o Request Analysis Business Analysis The likelihood of success Significance to business Resources required and business justification Technical Analysis System dependencies Technical requirement Project estimate o Request Reporting Make the change requests visible to Retain status of the change request when it is analyzed, prioritized, tested and deployed

System dependencies Technical requirement Project estimate o Request Reporting Make the change

16 s Approval Process o Appropriate approval should be obtained between the different phases of change process o Management approval should be documented

17 s Deployment Management o Logical (separate), Test/QA and Production o Deployment process High category changes Low/Medium category changes Emergency changes o Leverage Technology To provide auditabilityand versioning throughout the deployment process 7

Low/Medium category changes Emergency changes o Leverage

18 s Result o Key Performance Indicators (KPI) about the entire Management Process Process bottlenecks, successful techniques, etc. o Use the KPIs (by ) to make adjustments to the change procedure and o Post change implementation monitoring 8

19 s Monitor application and networks o checks using automated monitoring tools Incident response Escalation process o Periodic reviews User access OS, apps, network, etc. System configuration servers, network equipment, etc. 9

process o Periodic reviews User access OS, apps,

20 s Software Relationship between change and SDLC o Managing change is a critical component of any SDLC model Management and SLDC are not mutually exclusive o occurs throughout the development life cycle o Cost of changes is higher once out of development 7 Software 0

not mutually exclusive o occurs throughout the development life

21 s Software Relationship between change and SDLC o Waterfall model 7 Software

22 s Software Relationship between change and SDLC o Iterative model Agile Methodology Rational Unified Process (RUP) Rapid Application (RAD) Joint Application (JAD) 7 Software

23 Software Relationship between change and SDLC s o Prototyping Mange 7 Software

24 7 s Software Software Relationship between change and SDLC o V Model

25 s Software Tools to better manage change o Requirements Management o Visual Modeling o Automated Testing o Management 7 Software

26 Course Review o significance o o s o o o o Software (SDLC)

27 Questions? 7

28 Contact Information Steve Owyoung Doug Mohrland

29 Appendix s 9

30 changes OS changes (Host) o Applying OS patches s OS vendor recommendation Opening/closing OS services o Re-imaging As a backup plan when an OS update didn t go as planned As part of major/minor/emergency application changes 0

31 s changes Network changes o Software changes Deploying OS Patching OS o Configuration s Updating firewall, router, switch configuration o Hardware changes Adding/removing of network equipment

32 changes Application changes o Company specific application change s Major, minor and emergency changes New releases Bug fixes o Application configuration changes o Database changes Schema changes Database upgrades (version upgrade)

33 changes Physical access change o Physical access to data center s Preventing root level access through a system console Deactivating terminated employee s physical access Deactivating temporary physical access

34 changes Logical access change o OS Access s privileged access to /mission- critical server o Application Access privileged access to /mission- critical application o Network Access privileged access to network equipment

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 1. Obtain previous workpapers/audit reports. FIREWALL CHECKLIST Pre Audit Checklist 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 3. Obtain current network diagrams