steve owyoung and doug mohrland presentation.pptsfisaca.org/images/fc09_presentations/c22 - intro to...

C22 - Intro to Change Management and SDLC

Steve Owyoung

Doug Mohrland

1

Introduction to Change Management and SDLC

Steve Owyoung Doug MohrlandManager Manager

KPMG LLP, IT Advisory

• Why change management and its significance

• Types of changes in production environment

Discussion topics

yp g p

• Change management controls

• Impact of weak change management control

• Integrity management

Ch l di i• Change management leading practices

• Software Development Life Cycle (SDLC)

2

Why change managementand its significance?Why change

management and its significance?

Types of changes in production 2

1

Organization

Change management controlsImpact of weak change control

Integrity management

Change management l di

environment

3

4

5

6 leading practices

6

7Software Development Life Cycle

• Total fraud losses in the United States estimated to be $994 billion in 2008

Why change managementand its significance?

Why change management and its significance?

Types of

1

• Of all the computer crimes reported:

14%

18%

12%

31%

Oth

ers

plic

atio

n gr

amm

ers

rical

er

s

nts

Computer fraud

75% ‐ 90%



Types of changes in production environment

2

3

4

5

Source: Association of Certified Fraud Examiners and National Center For Computer Crime

Managers11%

Ap

Pro

g

Cle

rU

s

Stu

den

Occupationcomputer crimecommitted by

former or current employees

(knowledgeable insiders)

Change management leading practices

6


3

Why Change Managementand its significance?

• Change management – it is significant because it helps an


Types of

1

organization to be efficient

Adapting to change Controlling change Effecting change




2

3

4

5


6


Types of changesChanges in production environment

Types of


1

Internetyp

changes in production environment



2

3

4

5

Network Equipment


6

Physical Control7

Software Development Life Cycle

4

• Applying OS patches

– OS vendor recommendation

Types of changesOS changes (Host)



2

1

– Opening/closing OS services

• Re‐imaging

– As a backup plan when an OS update didn’t go as planned

A f j / i /

environment




3

4

5

6 – As part of major/minor/emergency application changes

leading practices

6


• Software changes– Deploying OS

Types of changesNetwork changes



2

1

– Patching OS

• Configuration Changes– Updating firewall, router, switch configuration

• Hardware changes

environment




3

4

5

6 Hardware changes– Adding/removing of network equipment

leading practices

6


5

• Company specific application change

– Major, minor and emergency changes

Types of changesApplication changes



2

1

j , g y g

– New releases

– Bug fixes

• Application configuration changes

• Database changes

environment




3

4

5

6

– Schema changes

– Database upgrades (version upgrade)

leading practices

6


Types of changesPhysical access change

• Physical access to data center

– Preventing root level access through a



2

1

e e t g oot e e access t oug asystem console

– Deactivating terminated employee’s physical access

– Deactivating temporary physical access

environment




3

4

5

6 leading practices

6


6

Types of changesLogical access change

• OS Access Change

– privileged access to production/mission‐Types of changes in production environment


2

1

p g p /critical server

• Application Access Change

– privileged access to production/mission‐critical application

N t k A Ch

environment




3

4

5

6 • Network Access Change

– privileged access to network equipment

leading practices

6


Change management controlsPlanned/routing maintenance changes procedure and controls

Types of changes in


2

1

Change management controls

production environment

Impact of weak change control


Change

2

3

4

5


6


7

Approved by management or by the

staff managing the

EMERGENCY CHANGES

The change requestor li it t

Implement change i t d ti

Notify all the constituents before

d tiTest

i d?Yes No

Change management controlsEmergency/System Recovery change procedure and controls

Types of changes in production


2

1

staff managing the production systems?

solicits management approval (verbal is

acceptable)

SYSTEM RECOVERYThe production support staff

immediately respond and start resolving the issue

Perform testing (test environment)

into production

The staff managing the production systems perform

professional judjment and make a decision whether to proceed or

cancel the emergency change

Test passed?

The changes and the back out plans

should be documented in the Change Request

Form for later management review

production implementation

Perform post implementation

NoCHANGE REQUESTOR

Request a change (complete an Emergency Change

Request Form)

required?Yes No

Yes

Yes

Yes

No

Change management controls

production environment



Change

3

4

5

monitoringmanagement leading practices

6


Impact of weak change controls• Potential for system outages

• Prone to unplanned, unauthorized and undocumented changes



2

1

– Unauthorized and undocumented changes• Causes unexplained additional problems or outages


environmentChange management controls



3

4

5

6 leading practices

6


8

• Prone to system attack – example denial of services

• Misuse of resource– Unplanned work

Impact of weak change controls



2

1

Unplanned work– Creates monetary loss

• Causes legal implication– Due to the exposure of sensitive customer data

– Due to system unavailability to customers

• Losing a customer/ business





3

4

5

6 • Losing a customer/ businessleading practices

6


Integrity management• Prevention

– Restrict logical access• Firewall, IDS, OS and Application



2

1

– Unnecessary services• Disable at the servers

• Block by the firewalls

– Restrict physical access• Restrict physical access that houses critical systems to ONLY authorized employees





3

4

5

6 systems to ONLY authorized employees

• Perform periodic physical access reviews

leading practices

6


9

Integrity management• Detection

– Monitor metadata and look for changes• Create, store and monitor baseline metadata values



2

1

• Metadata values: modification time, file size and cryptographic checksum

– Integrity Management Software• Reads files or directories to monitor

– critical network configuration, data files, customer database files, documents and spreadsheets

• Takes action when a violation (change) occurs





3

4

5

6 • Takes action when a violation (change) occurs

– Intrusion detection (IDS)

leading practices

6


Integrity management• Recovery

– Maintain a backup copy of the production data



2

1

data

– Identify changes based on the Integrity Management Software report

– Determine whether a change is authorized or not

Restore a file if the change is deemed





3

4

5

6 – Restore a file if the change is deemed unauthorized or malicious

leading practices

6


10


• Change management policy, procedure and standards

• Change request management



2

1

Change request management

• Approval process

• Deployment management

• Change result management

• Monitor application and networksChange management leading




3

4

5

6 • Monitor application and networksleading practices

6



• Prioritize/categorize changes based on downtime, lead time, type of services and severity of the change (Low,



2

1

Change management policy, procedure and standards

y g ( ,Medium, High Urgent)

• Roles and responsibilities– Define and designate qualified personnel’s roles

– Segregation of duties (SOD)Communication

Change management




3

4

5

6 – Communication– Enforce change‐management process

leading practices

6


11

• Change Request Analysis– Business Analysis

• The likelihood of success• Significance to business




2

1

Change Request Management

• Significance to business• Resources required and business justification

– Technical Analysis• System dependencies• Technical requirement• Project estimate

• Change Request ReportingM k th h t i ibl t

Change management leading




3

4

5

6– Make the change requests visible to management

– Retain status of the change request when it is analyzed, prioritized, tested and deployed

leading practices

6


• Appropriate approval should be obtained between the different phases of change management process




2

1

Approval Process

management process

• Management approval should be documented





3

4

5

6 leading practices

6


12

• Logical environment (separate) –Development, Test/QA and Production

• Deployment process




2

1Deployment Management

• Deployment process– High category changes

– Low/Medium category changes

– Emergency changes

• Leverage Technology– To provide auditability and versioning





3

4

5

6 p y gthroughout the deployment process

leading practices

6


• Key Performance Indicators (KPI) about the entire Change Management Process

P b ttl k f l t h i




2

1Result management

– Process bottlenecks, successful techniques, etc.

• Use the KPIs (by management) to make adjustments to the change management

procedure and practicesChange management leading




3

4

5

6• Post change implementation monitoring

leading practices

6


13

• Integrity checks

– using automated monitoring tools

Incident response




2

1Monitor application and networks

– Incident response

• Escalation process

• Periodic reviews

– User access – OS, apps, network, etc.

– System configuration – servers, network i t t





3

4

5

6 equipment, etc.leading practices

6


• Managing change is a critical component of any SDLC model

– Change Management and SDLC are not mutually exclusive

Software Development Life CycleRelationship between change management and SDLC



2

1

exclusive

• Change management occurs throughout the development life cycle

• Cost of changes is higher once out of development




3

4

5

6Change management leading


7

6 leading practices

14

• Waterfall




2

1

modelenvironmentChange management controls



3

4

5



7

6 leading practices

• Iterative model

– Agile Methodology

R i l U ifi d P (RUP)




2

1

– Rational Unified Process (RUP)

– Rapid Application Development (RAD)

– Joint Application Development (JAD)




3

4

5



7

6 leading practices

Illustration courtesy of Rational Unified Process

15

• Prototyping




2

1

Mange Change




3

4

5



7

6 leading practices

• V Model




2

1




3

4

5



7

6 leading practices

16

Software Development Life CycleTools to better manage change



2

1 • Requirements Management

• Visual ModelingenvironmentChange management controls



3

4

5


• Automated Testing

• Change Management


7

6 leading practices

• Why change management and its significance

• Types of changes in production environment

Course Review

yp g p

• Change management controls

• Impact of weak change management control

• Integrity management

Ch l di i• Change management leading practices

• Software Development Life Cycle (SDLC)

17

Questions

Contact Information

• Steve Owyoung, 415‐963‐7603 [email protected] you g@ p g.co

• Doug Mohrland, 415‐963‐7570 [email protected]

steve owyoung and doug mohrland presentation.pptsfisaca.org/images/fc09_presentations/c22 - intro to...

Documents