Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Beyond the Change:
Mastering Configuration Controls




            Daniel J Blander, CISM, CISSP
Agenda

[ The Need ]
[ The Approach ]
[ Configuration Standards ]
[ Change Control – SDLC Validation ]
[ The Results ]
The Need

[ Customer Needs ]
      Hawaiian Airlines - $1B International Airline
       • Sarbanes-Oxley
       • PCI

  ...
The Need

[ PCI ]
       Required Standards

[ IT General Controls (SOX 404) ]
       Verification of Change

[ Universa...
The Approach

[ Focus on Maturity ]
       Effectiveness of Controls
       Efficiency of Testing + Audit
       Repeat...
The Approach

[ Rule 1: “Trust is not a Control.” ]
                                  - KPMG Sr. Mgr.




[ Rule 2: “Alway...
Best Practice I:
Configuration Standards
[ Step 1: Develop + Document Standards ]

[ Step 2: Configure Your Systems ]

[ S...
Best Practice I:
The Real Results
[ Red Line – Old Audit + Old Compliance ]
[ Green Line – New Standards + New Compliance ...
Best Practice I:
The Real Results
[ Give Back + ROI ]
      Visibility to Change for All of IT
      Reduced Variances
 ...
Best Practice II:
Change Control Verification
Program Change Management - Applications
                   INITIATION      ...
Best Practice II:
Change Control Verification
[ Requirements ]
      Segregated Environments – Dev | Test | Prod
      P...
Best Practice II:
Change Control Verification
[ The Control – Verification ]
       Change is Implemented in Test
       ...
Best Practice II:
Change Control
[ ROI ]
       Trust of Auditors in Change Validity
       Improved SLA – Quality and A...
Take This Home With You

[ Process First – Then Tools ]

[ Make Sure the Effort Gives Something Back ]
      Real ROI – n...
Questions



            Daniel Blander
    Daniel.Blander@techtonica.com
           (714) 815-3653
Upcoming SlideShare
Loading in …5
×

Beyond The Change - Using Tripwire to Promote Consistency and ROI

972 views

Published on

  • Be the first to comment

  • Be the first to like this

Beyond The Change - Using Tripwire to Promote Consistency and ROI

  1. 1. Beyond the Change: Mastering Configuration Controls Daniel J Blander, CISM, CISSP
  2. 2. Agenda [ The Need ] [ The Approach ] [ Configuration Standards ] [ Change Control – SDLC Validation ] [ The Results ]
  3. 3. The Need [ Customer Needs ]  Hawaiian Airlines - $1B International Airline • Sarbanes-Oxley • PCI  National Retailer - $1.45B, ~900 Stores • PCI • Sarbanes-Oxley
  4. 4. The Need [ PCI ]  Required Standards [ IT General Controls (SOX 404) ]  Verification of Change [ Universal Goals ]  Improving Quality of Production Implementation  Consistency of Production Systems  Reduce Time to Test + Audit
  5. 5. The Approach [ Focus on Maturity ]  Effectiveness of Controls  Efficiency of Testing + Audit  Repeatability + Service Levels [ Develop the Process First – Tool Later ]
  6. 6. The Approach [ Rule 1: “Trust is not a Control.” ] - KPMG Sr. Mgr. [ Rule 2: “Always Give Something Back.” ] - Daniel Blander
  7. 7. Best Practice I: Configuration Standards [ Step 1: Develop + Document Standards ] [ Step 2: Configure Your Systems ] [ Step 3: Tripwire Configuration Assessment ] [ Execution Details ]  Eight Hours of Work per System Type  Make it Your Own – Customize and Test
  8. 8. Best Practice I: The Real Results [ Red Line – Old Audit + Old Compliance ] [ Green Line – New Standards + New Compliance ] Ad-Hoc Configuration Changes Audit Defined Standards + Tripwire 1 2 3 4 5 6 7 8 9 10 11 12
  9. 9. Best Practice I: The Real Results [ Give Back + ROI ]  Visibility to Change for All of IT  Reduced Variances  Reduced Testing Time - 150 Hours to 2
  10. 10. Best Practice II: Change Control Verification Program Change Management - Applications INITIATION DEVELOPMENT TESTING APPROVAL IMPLEMENTATION POST-REVIEW Business Input User Post Testing Unit Change Implementation Performed Request Review Request is Business Owner Reviews and Reviewed approves and testing Approved Developer Developer checks out code, Code makes changes, reviewed checks code by Team back in. Configuration Code Changes Manager moved to moved to TEST Production environment Control Change Submitted to Board CCB for Approval IT Security Review Changes in Tripwire Promote by Compare
  11. 11. Best Practice II: Change Control Verification [ Requirements ]  Segregated Environments – Dev | Test | Prod  Prior to Changes Test Must Match Prod  Deployment in Test is Deployment in Prod [ Implement Tripwire – “Promote by Compare” ]
  12. 12. Best Practice II: Change Control Verification [ The Control – Verification ]  Change is Implemented in Test • Testing Is Conducted + Approved • Snapshot of Test Environment Captured by Tripwire  Approved Change is Implemented in Production • End Users Verify Functionality • Information Security Verifies Change with Tripwire • Promote by Reference
  13. 13. Best Practice II: Change Control [ ROI ]  Trust of Auditors in Change Validity  Improved SLA – Quality and Accuracy  Quality of Implementation Improves [ Musings ]  Use of VMware
  14. 14. Take This Home With You [ Process First – Then Tools ] [ Make Sure the Effort Gives Something Back ]  Real ROI – not FUD  Culture of Consistency  Improved Delivery  Efficiency Through Automation ($24k Savings)
  15. 15. Questions Daniel Blander Daniel.Blander@techtonica.com (714) 815-3653

×