San Francisco Chapter San Francisco Chapter Introduction to Change Introduction to Change Management Management Tuesday, September 23, 2008 Mark Lundin Steve Owyoung Partner Manager KPMG LLP, IT Advisory KPMG LLP, IT Advisory
Discussion Discussion topics topics Why change management and its significance Types of changes in production environment Change management controls Impact of weak change management control Integrity management Change management leading practices Software Development Life Cycle (SDLC) 2 San Francisco Chapter San Francisco Chapter
Why change management Why change management and its significance? and its significance? Why change management 1 and its significance? Types of changes in 2 production environment Change 3 management controls Impact of Organization 4 weak change control Integrity 5 management Change management 6 leading practices Software 7 Development Life Cycle 3 San Francisco Chapter San Francisco Chapter
Why change management Why change management and its significance? and its significance? The total fraud losses in the United States Why change management 1 to be $660 billion a year and its significance? Off all the computer crimes reported Types of changes in 2 production environment Women 32% Change 3 Minorities 43% management controls Ages 21-35 67% Impact of 4 weak change 75% - control Computer fraud 90% Integrity 5 management 31% Change 18% Programmers Others management Application 6 computer crime 14% leading Clerical committed by Users Students practices 12% former or current Managers employees 11% Software (knowledgeable 7 Development Occupation insiders) Life Cycle Source: Association of Certified Fraud Examiners and National Center For Computer Crime 4 San Francisco Chapter San Francisco Chapter
Why Change Management Why Change Management and its significance? and its significance? Change management – it is Why change management 1 and its significant because it helps an significance? organization to be efficient Types of changes in 2 production environment Change 3 management Adapting to change Controlling change Effecting change controls Impact of 4 weak change control Integrity 5 management Change management 6 leading practices Software 7 Development Life Cycle 5 San Francisco Chapter San Francisco Chapter
Types of changes Types of changes Changes in production environment Changes in production environment Why change management 1 and its significance? Internet Types of changes in 2 production environment Change 3 management Network controls Equipment Impact of 4 weak change control Integrity 5 management Change management 6 leading practices Software 7 Development Physical Control Life Cycle 6 San Francisco Chapter San Francisco Chapter
Types of changes Types of changes OS changes (Host) OS changes (Host) Why change Applying OS patches Applying OS patches management 1 and its ◦ OS vendor recommendation significance? Types of ◦ Opening/closing OS services changes in 2 production Re-imaging Re-imaging environment Change ◦ As a backup plan when an OS update didn’t 3 management controls go as planned Impact of 4 weak change ◦ As part of major/minor/emergency control application changes Integrity 5 management Change management 6 leading practices Software 7 Development Life Cycle 7 San Francisco Chapter San Francisco Chapter
Types of changes Types of changes Network changes Network changes Why change Software changes Software changes management 1 and its ◦ Deploying OS significance? ◦ Patching OS Types of changes in 2 Configuration Changes Configuration Changes production environment ◦ Updating firewall, router, switch Change 3 management configuration controls Impact of Hardware changes Hardware changes 4 weak change control ◦ Adding/removing of network equipment Integrity 5 management Change management 6 leading practices Software 7 Development Life Cycle 8 San Francisco Chapter San Francisco Chapter
Types of changes Types of changes Application changes Application changes Why change Company specific application change Company specific application change management 1 and its ◦ Major, minor and emergency changes significance? Types of Database changes Database changes changes in 2 production ◦ Schema changes environment Change ◦ Database upgrades (version upgrade) 3 management controls Impact of 4 weak change control Integrity 5 management Change management 6 leading practices Software 7 Development Life Cycle 9 San Francisco Chapter San Francisco Chapter
Types of changes Types of changes Physical access change Physical access change Why change Physical access to datacenter Physical access to datacenter management 1 and its ◦ Preventing root level access through a significance? Types of system console changes in 2 production ◦ Deactivating terminated employee’s physical environment access Change 3 management ◦ Deactivating temporary physical access controls Impact of 4 weak change control Integrity 5 management Change management 6 leading practices Software 7 Development Life Cycle 10 San Francisco Chapter San Francisco Chapter
Types of changes Types of changes Logical access change Logical access change Why change OS Access Change OS Access Change management 1 and its ◦ privileged access to production/mission significance? critical server Types of changes in 2 production Application Access Change Application Access Change environment ◦ privileged access to production/mission Change 3 management critical application controls Impact of 4 Network Access Change Network Access Change weak change control Integrity ◦ privileged access to network equipment 5 management Change management 6 leading practices Software 7 Development Life Cycle 11 San Francisco Chapter San Francisco Chapter
Change management controls Change management controls Planned/routing maintenance changes procedure and controls Planned/routing maintenance changes procedure and controls Why change management 1 and its significance? Types of changes in 2 production environment Change 3 management controls Impact of 4 weak change control Integrity 5 management Change management 6 leading practices Software 7 Development Life Cycle 12 San Francisco Chapter San Francisco Chapter
Change management controls Change management controls Emergency/System Recovery change procedure and controls Emergency/System Recovery change procedure and controls Why change management 1 and its significance? Types of changes in 2 production environment Change 3 management controls Impact of 4 weak change control Integrity 5 management Change management 6 leading practices 13 San Francisco Chapter San Francisco Chapter
Impact of weak change controls Impact of weak change controls Why change Potential for system outages system outages management 1 and its Prone to unplanned unplanned, unauthorized unauthorized and significance? Types of undocumented undocumented changes changes in 2 production ◦ Unauthorized and undocumented changes environment Change Causes unexplained additional problems or 3 management outages controls Causes unplanned changes as problems are Impact of weak 4 change control troublesome to resolve due to the prior undocumented changes Integrity 5 management Change management 6 leading practices Software 7 Development Life Cycle 14 San Francisco Chapter San Francisco Chapter
Impact of weak change controls Impact of weak change controls Why change Prone to system attack Prone to system attack – example denial of management 1 services and its significance? Misuse of resource Misuse of resource Types of changes in 2 ◦ Unplanned work production environment ◦ Creates monetary loss Change 3 management Causes legal implication Causes legal implication controls ◦ Due to the exposure of sensitive customer data Impact of weak 4 change control ◦ Due to system unavailability to customers Losing a customer/ business Losing a customer/ business Integrity 5 management Change management 6 leading practices Software 7 Development Life Cycle 15 San Francisco Chapter San Francisco Chapter
Integrity management Integrity management – Preventing, – Preventing, detecting and responding to changes in production systems detecting and responding to changes in production systems Prevention Prevention Why change management 1 and its ◦ Restrict logical access significance? Types of Firewall, IDS, OS and Application changes in 2 ◦ Unnecessary services production environment Disable at the servers Change 3 management Block by the firewalls controls Impact of ◦ Restrict physical access 4 weak change control Restrict physical access that houses critical systems to ONLY authorized employees Integrity 5 management Perform periodic physical access reviews Change management 6 leading practices Software 7 Development Life Cycle 16 San Francisco Chapter San Francisco Chapter
Recommend
More recommend