How to build a change workflow process
•Download as PPTX, PDF•
0 likes•118 views
The document discusses building a change workflow process to increase control over organizational changes. It recommends building the process to comply with industry regulations and internal policies, improve security by eliminating ad-hoc changes, and reduce costs. The key components of a change workflow process include submitting a request, review, approval, implementation, and validation steps. Automating the workflow can accelerate changes and reduce risks, costs, and human errors. The document provides examples of how organizations have benefited from automating their change management processes.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to How to build a change workflow process
Similar to How to build a change workflow process (20)
Recently uploaded
Recently uploaded (20)
How to build a change workflow process
- 1. Ask the Expert: How to Build a Change Workflow to Increase Control Ruth Gomel, Director Product Design Maya Malevich, Director Product Marketing
- 2. 2
- 3. Ask the Expert: How to Build a Change Workflow to Increase Control Ruth Gomel, Director Product Design Maya Malevich, Director Product Marketing
- 4. 4 Agenda Ask the Expert: • Why Build a Change Workflow? • How to Build the Process? • What’s Next?
- 5. 5 • Compliance - Industry Regulations - Internal security policies - Organizational change process - Organizational SLA • Improve security by eliminating ad-hoc changes • Reduce costs Why Build a Change Workflow?
- 6. 6 • PCI DSS Requirement 6.4: change control processes and procedures for all changes to system components • NERC CIP-010: change management process to ensure that only authorized changes are made to the Cyber Assets + every change must be documented to demonstrate proper authorization was utilized. • ISO 27001:2013 (Annex A) A.12.1.2 Change management: changes to the organization, business processes, information processing facilities, and systems that affect information security have to be controlled Compliance Mandates that Require a Change Process
- 7. 7 Align With The Organizational Change Process Organizational Change Process
- 8. 8 The Risks Of Not Having a Process
- 9. 9 How Much Does It Cost? Delays Redo’s
- 10. 10
- 11. 11 Before you start: • Identify types of changes and prioritize them • Identify stakeholders and include them in defining the process • Get management buy-in How to Build a Workflow?
- 12. 12 The Building Blocks 4. Do 5.Validate
- 13. 13 • Who is your user? • Where is the ticket submitted? - Email - Ticketing system - Portal page - Dedicated application to control input • What information is required? 1. Submit
- 14. 14 Who needs to review? • Manager • Professional colleague • Security review • Other? What information do they need? 2. Review
- 15. 15 • Who should approve? • What happens if they approve? • What happens if they do not approve? • What if they are away? 3. Approve
- 16. 16 What should get done? • Analyze • Assess • Design • Implement • Report Is there a change window? 4. Do
- 17. 17 How can results be validated? • Requester Approves • Implementation did not break anything • Results match the request 5. Validate
- 18. 18 6. Documentation • Who: accountability • What: accuracy • When: and for how long • Why: justification
- 20. 20 Making It Even Better: Automation Time to implement a change reduced from 6-8 days to 6 hours (Energy company in EMEA) • 50% reduction in time and effort of submitting changes • 50%-75% reduction in time and effort for staging changes (Large Financial Services company in the US) • Go from missing 5-day SLAs to changes implemented within 1 hour • Free up 67% of the time spent on ongoing changes so the team can focus elsewhere (An Independent Agency of the US Federal Government) Accelerate changes from 1-2 weeks to same day (Large Life Insurance Provider in the US) Reduced the time to implement access changes from 1-2 months to a few days (Large Energy provider in the US)
- 21. 21 • Process Flow • Steps - Submission - Approval under certain conditions - Analysis and Design - Implementation - Validation • Documentation What to Automate?
- 22. 22 We are the Security Policy Company Who can talk to whom? What can talk to what?
- 23. 23 About the Tufin Solution Tufin Orchestration Suite SecureApp™ SecureChange™ SecureTrack™ IT Service Management Other 3rd Party Solutions Scripting & Automation RESTAPIs Firewalls Public CloudPrivate CloudNetworks Unified Security Policy Containers Collectors and Provisioning Engines Analysis Engines
- 24. 24 Automated Network Security Change Process Request from App connectivity Ticketing Portal Automated Risk Assessment 1 Automated Design 2 Automated Provisioning 3 Audit 4 Maximize agility with end-to-end automation of network security changes with baked-in security & compliance
- 25. 25 Automated Risk Analysis Automated Risk Assessment 1 Automated Design 2 Automated Provisioning 3 Audit 4 Automated risk analysis for Continuous policy compliance
- 26. 26 Automated Network Security Change Design Automated Risk Assessment 1 Automated Design 2 Automated Provisioning 3 Audit 4 Automated change design based on accurate topology simulation & path analysis across vendors & platforms
- 27. 27 Automated, Accelerated Implementation Automated Risk Assessment 1 Automated Design 2 Automated Provisioning 3 Audit 4 Automated provisioning across the hybrid network from a single console reduces complexity & eliminates human error
- 28. 28 Auditable Change Process Automated Risk Assessment 1 Automated Design 2 Automated Provisioning 3 Audit 4 Full accountability with automatic audit trail of all network security changes Authorized Unauthorized Full audit trail over all changes and their security impact
- 29. 29 Configurable Change Workflow 1 Create a new workflow in SecureChange and select its type. Each workflow type is associated with a relevant template. Add steps to the workflow according to the business process 2 Add relevant fields to each workflow step, and assign the step to relevant user(s). 3 Activate and save the workflow. It is now ready to use and available in the workflows list.
- 30. 30 Open Platform to Enable Integrations ITSM VULNERABILITY SCANNERS IPAMSOAR ENDPOINTSIEM
- 31. 31 Case Study THE PROBLEM • Need a way to audit all changes • Falling behind the business SLA THE RESULT THE SOLUTION SecureChange™ SecureTrack™ Boosted agility and productivity • Changes implemented in 6 hours instead of 6-8 days • Reduce costs and efforts for audit prep (1-2 days) • Enhance application delivery and ensure service uptime SecureApp™
- 32. 32 Summary: Find the Right Balance
Editor's Notes
- We are going to get started with a poll
- Your organization should have the appropriate methods to control any changes in to and out of your environment. PCI Requirement 6.4 requires that your organization’s Change Control Program includes a documented roll-back plan, a testing phase, management’s approval, and updated documentation. The PCI DSS warns, “Without properly documented and implemented change controls, security features could be inadvertently or deliberately omitted or rendered inoperable, processing irregularities could occur, or malicious code could be introduced.” PCI DSS also demands recertification (timely justification) of access rules.
- ITIL Change Advisory Board Urgent changes vs. Changes to critical services – limited to a change window
- Allow changes vs. Block changes
- Another poll: Which regulations do you need to comply with? PCI DSS ISO 27001 Industry-specific: HIPAA, NERC CIP, SOX or other Geo-specific: like GDPR None
- Automation journey
- Add access or remove access?
- Before and After: How long does it take to make a change? How many changes are processed per week? How long does it take to prepare for an audit? How many incidents are caused by misconfigurations? How many redo’s are required?
- Enterprises are seeing growing network complexity and fragmented, manual processes in security and network operations are too slow and error-prone to be effective. Without a central solution managing security policy across the complete network and cloud infrastructure, implementing connections manually takes days or weeks and results in errors and new security risks. For organizations who want to become agile, competitive and secure that’s no longer acceptable. We believe that there is a more informed, secure and efficient way to orchestrate security-related changes across enterprise networks, and have pioneered a security policy management platform to bring automation and analytics to security and network operations. The types of policies that we manage are network policies: who can talk to whom or what can talk to what on the network
- Our customers deploy SecureChange to break the endless loop of chasing none compliant changes by embedding the security policy into the network change process. SecureChange leverages the analysis and provisioning engines of SecureTrack and aligns with the unified security policy that is defined in SecureTrack. SecureChange customers who leverage the automation capabilities of the product implement network changes in minutes instead of days, with dramatically better security and accuracy.
- Tufin’s end-to-end automation increases agility with security. Tufin provides automation at every step of the change process, as well as automation for the process flow itself. Click: Network security change requests can originate from the application connectivity model we discussed in the previous slide, from a 3rd party ticketing system like Remedy or ServiceNow, or from a custom user portal.
- To ensure security and compliance together with agility, Tufin provides automated risk analysis. Each network security change request is proactively examined against the central security policy baseline to identify and address potential violations. A few ways to address violations are: Automated escalation for security approval (completely customizable) Allow temporary exception with an expiration date Reject the ticket or return to the requester for adjustments
- Once security and compliance are cleared/approved, the change can be automatically designed to provide a clear and accurate implementation plan. Tufin delivers trusted design based on accurate topology simulation and path analysis across heterogeneous platforms and topology architecture. Here’s how it works - Tufin: Automatically selects the target policies in the topology path of the requested change Identifies the targets that require a change in policy to allow requested access Designs the optimal policy change for the specific target (avoid shadowing, add object/group/rule)
- Tufin provides automated provisioning for leading firewall and next-generation firewall platforms – such as Check Point, Palo Alto, Fortinet, Cisco, Juniper, also Forcepoint which is the new brand for Stonesoft Next-Generation Firewalls. Provisioning can be triggered automatically for zero-touch process flow, or activated from the designer.
- Finally, Tufin provides every aspect of ensuring compliance and audit readiness with: Real-time change monitoring and accountability Automatic audit trail Automatic change verification and authorization against approved change requests Complete history of each change request Reporting
- Quote from RWE: The cloud team accidentally deleted 15 servers and immediately setup 15 new servers. “In a normal way that would have meant death for that application for a few weeks”, but by using application-based automation the server group was updated and the application was back up in 15 minutes.
- To summarize, there is a lot of planning that needs to go into building a change workflow, but you shouldn’t let it stop you. There are great benefits, so if there are blockers try to start small, prove the value, and then continue.