steve owyoung and doug mohrland presentation.pptsfisaca.org/images/fc09_presentations/c22 - intro to...
TRANSCRIPT
1
Introduction to Change Management and SDLC
Steve Owyoung Doug MohrlandManager Manager
KPMG LLP, IT Advisory
• Why change management and its significance
• Types of changes in production environment
Discussion topics
yp g p
• Change management controls
• Impact of weak change management control
• Integrity management
Ch l di i• Change management leading practices
• Software Development Life Cycle (SDLC)
2
Why change managementand its significance?Why change
management and its significance?
Types of changes in production 2
1
Organization
Change management controlsImpact of weak change control
Integrity management
Change management l di
environment
3
4
5
6 leading practices
6
7Software Development Life Cycle
• Total fraud losses in the United States estimated to be $994 billion in 2008
Why change managementand its significance?
Why change management and its significance?
Types of
1
• Of all the computer crimes reported:
14%
18%
12%
31%
Oth
ers
plic
atio
n gr
amm
ers
rical
er
s
nts
Computer fraud
75% ‐ 90%
Change management controlsImpact of weak change control
Integrity management
Types of changes in production environment
2
3
4
5
Source: Association of Certified Fraud Examiners and National Center For Computer Crime
Managers11%
Ap
Pro
g
Cle
rU
s
Stu
den
Occupationcomputer crimecommitted by
former or current employees
(knowledgeable insiders)
Change management leading practices
6
7Software Development Life Cycle
3
Why Change Managementand its significance?
• Change management – it is significant because it helps an
Why change management and its significance?
Types of
1
organization to be efficient
Adapting to change Controlling change Effecting change
Change management controlsImpact of weak change control
Integrity management
Types of changes in production environment
2
3
4
5
Change management leading practices
6
7Software Development Life Cycle
Types of changesChanges in production environment
Types of
Why change management and its significance?
1
Internetyp
changes in production environment
Change management controlsImpact of weak change control
Integrity management
2
3
4
5
Network Equipment
Change management leading practices
6
Physical Control7
Software Development Life Cycle
4
• Applying OS patches
– OS vendor recommendation
Types of changesOS changes (Host)
Types of changes in production environment
Why change management and its significance?
2
1
– Opening/closing OS services
• Re‐imaging
– As a backup plan when an OS update didn’t go as planned
A f j / i /
environment
Change management controlsImpact of weak change control
Integrity management
Change management l di
3
4
5
6 – As part of major/minor/emergency application changes
leading practices
6
7Software Development Life Cycle
• Software changes– Deploying OS
Types of changesNetwork changes
Types of changes in production environment
Why change management and its significance?
2
1
– Patching OS
• Configuration Changes– Updating firewall, router, switch configuration
• Hardware changes
environment
Change management controlsImpact of weak change control
Integrity management
Change management l di
3
4
5
6 Hardware changes– Adding/removing of network equipment
leading practices
6
7Software Development Life Cycle
5
• Company specific application change
– Major, minor and emergency changes
Types of changesApplication changes
Types of changes in production environment
Why change management and its significance?
2
1
j , g y g
– New releases
– Bug fixes
• Application configuration changes
• Database changes
environment
Change management controlsImpact of weak change control
Integrity management
Change management l di
3
4
5
6
– Schema changes
– Database upgrades (version upgrade)
leading practices
6
7Software Development Life Cycle
Types of changesPhysical access change
• Physical access to data center
– Preventing root level access through a
Types of changes in production environment
Why change management and its significance?
2
1
e e t g oot e e access t oug asystem console
– Deactivating terminated employee’s physical access
– Deactivating temporary physical access
environment
Change management controlsImpact of weak change control
Integrity management
Change management l di
3
4
5
6 leading practices
6
7Software Development Life Cycle
6
Types of changesLogical access change
• OS Access Change
– privileged access to production/mission‐Types of changes in production environment
Why change management and its significance?
2
1
p g p /critical server
• Application Access Change
– privileged access to production/mission‐critical application
N t k A Ch
environment
Change management controlsImpact of weak change control
Integrity management
Change management l di
3
4
5
6 • Network Access Change
– privileged access to network equipment
leading practices
6
7Software Development Life Cycle
Change management controlsPlanned/routing maintenance changes procedure and controls
Types of changes in
Why change management and its significance?
2
1
Change management controls
production environment
Impact of weak change control
Integrity management
Change
2
3
4
5
Change management leading practices
6
7Software Development Life Cycle
7
Approved by management or by the
staff managing the
EMERGENCY CHANGES
The change requestor li it t
Implement change i t d ti
Notify all the constituents before
d tiTest
i d?Yes No
Change management controlsEmergency/System Recovery change procedure and controls
Types of changes in production
Why change management and its significance?
2
1
staff managing the production systems?
solicits management approval (verbal is
acceptable)
SYSTEM RECOVERYThe production support staff
immediately respond and start resolving the issue
Perform testing (test environment)
into production
The staff managing the production systems perform
professional judjment and make a decision whether to proceed or
cancel the emergency change
Test passed?
The changes and the back out plans
should be documented in the Change Request
Form for later management review
production implementation
Perform post implementation
NoCHANGE REQUESTOR
Request a change (complete an Emergency Change
Request Form)
required?Yes No
Yes
Yes
Yes
No
Change management controls
production environment
Impact of weak change control
Integrity management
Change
3
4
5
monitoringmanagement leading practices
6
7Software Development Life Cycle
Impact of weak change controls• Potential for system outages
• Prone to unplanned, unauthorized and undocumented changes
Types of changes in production environment
Why change management and its significance?
2
1
– Unauthorized and undocumented changes• Causes unexplained additional problems or outages
Impact of weak change control
environmentChange management controls
Integrity management
Change management l di
3
4
5
6 leading practices
6
7Software Development Life Cycle
8
• Prone to system attack – example denial of services
• Misuse of resource– Unplanned work
Impact of weak change controls
Types of changes in production environment
Why change management and its significance?
2
1
Unplanned work– Creates monetary loss
• Causes legal implication– Due to the exposure of sensitive customer data
– Due to system unavailability to customers
• Losing a customer/ business
Impact of weak change control
environmentChange management controls
Integrity management
Change management l di
3
4
5
6 • Losing a customer/ businessleading practices
6
7Software Development Life Cycle
Integrity management• Prevention
– Restrict logical access• Firewall, IDS, OS and Application
Types of changes in production environment
Why change management and its significance?
2
1
– Unnecessary services• Disable at the servers
• Block by the firewalls
– Restrict physical access• Restrict physical access that houses critical systems to ONLY authorized employees
Integrity management
environmentChange management controls
Impact of weak change control
Change management l di
3
4
5
6 systems to ONLY authorized employees
• Perform periodic physical access reviews
leading practices
6
7Software Development Life Cycle
9
Integrity management• Detection
– Monitor metadata and look for changes• Create, store and monitor baseline metadata values
Types of changes in production environment
Why change management and its significance?
2
1
• Metadata values: modification time, file size and cryptographic checksum
– Integrity Management Software• Reads files or directories to monitor
– critical network configuration, data files, customer database files, documents and spreadsheets
• Takes action when a violation (change) occurs
Integrity management
environmentChange management controls
Impact of weak change control
Change management l di
3
4
5
6 • Takes action when a violation (change) occurs
– Intrusion detection (IDS)
leading practices
6
7Software Development Life Cycle
Integrity management• Recovery
– Maintain a backup copy of the production data
Types of changes in production environment
Why change management and its significance?
2
1
data
– Identify changes based on the Integrity Management Software report
– Determine whether a change is authorized or not
Restore a file if the change is deemed
Integrity management
environmentChange management controls
Impact of weak change control
Change management l di
3
4
5
6 – Restore a file if the change is deemed unauthorized or malicious
leading practices
6
7Software Development Life Cycle
10
Change management leading practices
• Change management policy, procedure and standards
• Change request management
Types of changes in production environment
Why change management and its significance?
2
1
Change request management
• Approval process
• Deployment management
• Change result management
• Monitor application and networksChange management leading
environmentChange management controls
Impact of weak change control
Integrity management
3
4
5
6 • Monitor application and networksleading practices
6
7Software Development Life Cycle
Change management leading practices
• Prioritize/categorize changes based on downtime, lead time, type of services and severity of the change (Low,
Types of changes in production environment
Why change management and its significance?
2
1
Change management policy, procedure and standards
y g ( ,Medium, High Urgent)
• Roles and responsibilities– Define and designate qualified personnel’s roles
– Segregation of duties (SOD)Communication
Change management
environmentChange management controls
Impact of weak change control
Integrity management
3
4
5
6 – Communication– Enforce change‐management process
leading practices
6
7Software Development Life Cycle
11
• Change Request Analysis– Business Analysis
• The likelihood of success• Significance to business
Change management leading practices
Types of changes in production environment
Why change management and its significance?
2
1
Change Request Management
• Significance to business• Resources required and business justification
– Technical Analysis• System dependencies• Technical requirement• Project estimate
• Change Request ReportingM k th h t i ibl t
Change management leading
environmentChange management controls
Impact of weak change control
Integrity management
3
4
5
6– Make the change requests visible to management
– Retain status of the change request when it is analyzed, prioritized, tested and deployed
leading practices
6
7Software Development Life Cycle
• Appropriate approval should be obtained between the different phases of change management process
Change management leading practices
Types of changes in production environment
Why change management and its significance?
2
1
Approval Process
management process
• Management approval should be documented
Change management leading
environmentChange management controls
Impact of weak change control
Integrity management
3
4
5
6 leading practices
6
7Software Development Life Cycle
12
• Logical environment (separate) –Development, Test/QA and Production
• Deployment process
Change management leading practices
Types of changes in production environment
Why change management and its significance?
2
1Deployment Management
• Deployment process– High category changes
– Low/Medium category changes
– Emergency changes
• Leverage Technology– To provide auditability and versioning
Change management leading
environmentChange management controls
Impact of weak change control
Integrity management
3
4
5
6 p y gthroughout the deployment process
leading practices
6
7Software Development Life Cycle
• Key Performance Indicators (KPI) about the entire Change Management Process
P b ttl k f l t h i
Change management leading practices
Types of changes in production environment
Why change management and its significance?
2
1Result management
– Process bottlenecks, successful techniques, etc.
• Use the KPIs (by management) to make adjustments to the change management
procedure and practicesChange management leading
environmentChange management controls
Impact of weak change control
Integrity management
3
4
5
6• Post change implementation monitoring
leading practices
6
7Software Development Life Cycle
13
• Integrity checks
– using automated monitoring tools
Incident response
Change management leading practices
Types of changes in production environment
Why change management and its significance?
2
1Monitor application and networks
– Incident response
• Escalation process
• Periodic reviews
– User access – OS, apps, network, etc.
– System configuration – servers, network i t t
Change management leading
environmentChange management controls
Impact of weak change control
Integrity management
3
4
5
6 equipment, etc.leading practices
6
7Software Development Life Cycle
• Managing change is a critical component of any SDLC model
– Change Management and SDLC are not mutually exclusive
Software Development Life CycleRelationship between change management and SDLC
Types of changes in production environment
Why change management and its significance?
2
1
exclusive
• Change management occurs throughout the development life cycle
• Cost of changes is higher once out of development
environmentChange management controls
Impact of weak change control
Integrity management
3
4
5
6Change management leading
Software Development Life Cycle
7
6 leading practices
14
• Waterfall
Software Development Life CycleRelationship between change management and SDLC
Types of changes in production environment
Why change management and its significance?
2
1
modelenvironmentChange management controls
Impact of weak change control
Integrity management
3
4
5
6Change management leading
Software Development Life Cycle
7
6 leading practices
• Iterative model
– Agile Methodology
R i l U ifi d P (RUP)
Software Development Life CycleRelationship between change management and SDLC
Types of changes in production environment
Why change management and its significance?
2
1
– Rational Unified Process (RUP)
– Rapid Application Development (RAD)
– Joint Application Development (JAD)
environmentChange management controls
Impact of weak change control
Integrity management
3
4
5
6Change management leading
Software Development Life Cycle
7
6 leading practices
Illustration courtesy of Rational Unified Process
15
• Prototyping
Software Development Life CycleRelationship between change management and SDLC
Types of changes in production environment
Why change management and its significance?
2
1
Mange Change
environmentChange management controls
Impact of weak change control
Integrity management
3
4
5
6Change management leading
Software Development Life Cycle
7
6 leading practices
• V Model
Software Development Life CycleRelationship between change management and SDLC
Types of changes in production environment
Why change management and its significance?
2
1
environmentChange management controls
Impact of weak change control
Integrity management
3
4
5
6Change management leading
Software Development Life Cycle
7
6 leading practices
16
Software Development Life CycleTools to better manage change
Types of changes in production environment
Why change management and its significance?
2
1 • Requirements Management
• Visual ModelingenvironmentChange management controls
Impact of weak change control
Integrity management
3
4
5
6Change management leading
• Automated Testing
• Change Management
Software Development Life Cycle
7
6 leading practices
• Why change management and its significance
• Types of changes in production environment
Course Review
yp g p
• Change management controls
• Impact of weak change management control
• Integrity management
Ch l di i• Change management leading practices
• Software Development Life Cycle (SDLC)
17
Questions
Contact Information
• Steve Owyoung, 415‐963‐7603 [email protected] you g@ p g.co
• Doug Mohrland, 415‐963‐7570 [email protected]