Introduction to Management and SDLC Steve Owyoung Sr. Manager KPMG LLP, IT Advisory Doug Mohrland Audit Manager Oracle Corporation
Discussiontopics o significance o o s o o o o Software (SDLC)
s Organization
s Total fraud losses in the United States estimated to be $99 billion in 008 Of all the computer crimes reported: Computer fraud % 8% % % % Others Application Programmers Clerical Users Occupation Students Manager s 7% -90% computer crime committed by former or current employees (knowledgeable insiders)
s Why Management it is significant because it helps an organization to be efficient Adapting to Controlling Effecting change change change
s changes s in Physical Control Network Equipment Internet
s Planned/routine maintenance changes procedure and s s 7
s Emergency/System Recovery change procedure and s s CHANGE REQUESTOR Request a change (complete an Emergency Request Form) EMERGENCY CHANGES The change requestor solicits approval (verbal is acceptable) SYSTEM RECOVERY The support staff immediately respond and start resolving the issue Approved by or by the staff managing the systems? No The staff managing the systems perform professional judjment and make a decision whether to proceed or cancel the emergency change Yes Test required? Yes Perform testing (test ) No Yes No Yes Test passed? Notify all the constituents before implementation Implement change into The changes and the back out plans should be documented in the Request Form for later review Perform post implementation monitoring 8
s s o Financial loss Brand/reputational damage Losing a customer/ business o Legal exposure (sensitive data disclosure) o Unplanned, unauthorized and undocumented changes o Prone to system attack / outages (DoS) o Misuse of resources (unplanned work) 9
s o Prevention Restrict logical access Firewall, IDS, OS and Application Unnecessary services Disable at the servers Block by the firewalls Restrict physical access Restrict physical access that houses critical systems to ONLY authorized employees Perform periodic physical access reviews 0
s o Detection Monitor metadata and look for changes Create, store and monitor baseline metadata values Metadata values: modification time, file size and cryptographic checksum Management Software Reads files or directories to monitor critical network configuration, data files, customer database files, documents and spreadsheets Takes action when a violation (change) occurs Intrusion detection (IDS)
s o Recovery Maintain a backup copy of the data Identify changes based on the Management Software report Determine whether a change is authorized or not Restore a file if the change is deemed unauthorized or malicious
s o policy, procedure and standards o request o Approval process o Deployment o result o Monitor application and networks
s policy, procedure and standards o Prioritize/categorize changes based on downtime, lead time, type of services and severity of the change (Low, Medium, High Urgent) o Roles and responsibilities Define and designate qualified personnel s roles Segregation of duties (SOD) Communication Enforce change- process
s Request Management o Request Analysis Business Analysis The likelihood of success Significance to business Resources required and business justification Technical Analysis System dependencies Technical requirement Project estimate o Request Reporting Make the change requests visible to Retain status of the change request when it is analyzed, prioritized, tested and deployed
s Approval Process o Appropriate approval should be obtained between the different phases of change process o Management approval should be documented
s Deployment Management o Logical (separate), Test/QA and Production o Deployment process High category changes Low/Medium category changes Emergency changes o Leverage Technology To provide auditabilityand versioning throughout the deployment process 7
s Result o Key Performance Indicators (KPI) about the entire Management Process Process bottlenecks, successful techniques, etc. o Use the KPIs (by ) to make adjustments to the change procedure and o Post change implementation monitoring 8
s Monitor application and networks o checks using automated monitoring tools Incident response Escalation process o Periodic reviews User access OS, apps, network, etc. System configuration servers, network equipment, etc. 9
s Software Relationship between change and SDLC o Managing change is a critical component of any SDLC model Management and SLDC are not mutually exclusive o occurs throughout the development life cycle o Cost of changes is higher once out of development 7 Software 0
s Software Relationship between change and SDLC o Waterfall model 7 Software
s Software Relationship between change and SDLC o Iterative model Agile Methodology Rational Unified Process (RUP) Rapid Application (RAD) Joint Application (JAD) 7 Software
Software Relationship between change and SDLC s o Prototyping Mange 7 Software
7 s Software Software Relationship between change and SDLC o V Model
s Software Tools to better manage change o Requirements Management o Visual Modeling o Automated Testing o Management 7 Software
Course Review o significance o o s o o o o Software (SDLC)
Questions? 7
Contact Information Steve Owyoung sowyoung@kpmg.com -9-70 Doug Mohrland doug.mohrland@oracle.com 0-0-77 8
Appendix s 9
changes OS changes (Host) o Applying OS patches s OS vendor recommendation Opening/closing OS services o Re-imaging As a backup plan when an OS update didn t go as planned As part of major/minor/emergency application changes 0
s changes Network changes o Software changes Deploying OS Patching OS o Configuration s Updating firewall, router, switch configuration o Hardware changes Adding/removing of network equipment
changes Application changes o Company specific application change s Major, minor and emergency changes New releases Bug fixes o Application configuration changes o Database changes Schema changes Database upgrades (version upgrade)
changes Physical access change o Physical access to data center s Preventing root level access through a system console Deactivating terminated employee s physical access Deactivating temporary physical access
changes Logical access change o OS Access s privileged access to /mission- critical server o Application Access privileged access to /mission- critical application o Network Access privileged access to network equipment