Do you track changes?

Paul Gostick of Tripwire Inc on why you should be auditing and responding to change within your organisation.

CXO. Why is change auditing necessary and what are the benefits of automating that process?
PG. To improve the control of IT you must enforce policy, which means you must audit change. Auditors increasingly want to see independent change detection and verification – capabilities that demand more than basic change and configuration management technologies can deliver.

Change auditing is about being in control. Change auditing reconciles detected changes against tested, authorised changes, providing alerts when change is unauthorised. It reports objectively all change activity, enabling IT to prove the effectiveness of their controls and closes the loop on the change management process. With change auditing capabilities in place, security and compliance processes can be enforced and any attempts to circumvent them will be identified.

When combined with a change approval process that allows only approved and tested changes to be implemented, change auditing increases the availability of information systems, enhances security and instills greater confidence in IT by demonstrating that only authorised and intended changes have been made to the production environment.

The clear benefits of automated change auditing are reduced costs because of the speed and efficiency of detecting, reconciling and reporting all change activity across the entire production infrastructure. In many organisations, the monitored infrastructure is too large and change activity too frequent to effectively monitor changes manually. For automated controls, there is typically no further audit cost after the first time they are audited, and for semi-automated controls there is typically less cost after the initial audit. However, every manual process must be audited each and every year. End-user spreadsheets are classified by Sarbanes-Oxley (S-OX) as manual processes.

CXO. Can you explain the critical components of your own change auditing solutions? What differentiates them from anything else on the market?
PG. Tripwire provides change auditing solutions that prove system and process integrity to help enterprises comply with regulations while achieving greater network availability and security. Tripwire Enterprise software detects, reconciles and reports change. It offers unprecedented capabilities to audit change across multi-vendor platforms, servers, desktops, directory servers and network devices. Baseline management allows authorised users to designate ‘known and trusted’ configuration revisions as baselines, which are a point of reference for subsequent integrity checking. Tripwire Enterprise validates system process integrity by independently detecting both automated and manual changes. It includes a comprehensive library of tailorable reports and real-time dashboards that provide insightful performance metrics and trends. It measures the ration of authorised to unauthorised changes and detailed change history to produce verifiable audit logs. Archived audit trails including device configurations and hash tables provide a comprehensive revision history showing what was done, where, when and by whom.

CXO. How do pressures to meet strict compliance requirements create particular challenges for companies today and how are they looking to technology to address some of these concerns?
PG. Change auditing is an essential capability to equip the principal executive and principal financial officers (who have the ultimate responsibility for compliance) with the tools needed to meet the evaluation and disclosure requirements of S-OX and other legislation, and fulfill their duties to implement and certify the existence of internal financial controls.

A key aspect of achieving compliance is accountability. When management takes ownership of the company’s IT control strategy, accountability is easily achieved. An effective control strategy must utilise preventive, detective and corrective controls, and must be designed to minimise risk to the business, particularly in areas scrutinised for Sarbanes-Oxley and other compliance regulations. For example, for SOX compliance, IT management should be able to demonstrate that no unauthorised changes have occurred to systems supporting material financial reporting operations.

Although using technology as the enabling framework is an absolute given, compliance with legislation is primarily a business issue, not a technical issue. It should be understood that compliance requires the business to generate, implement and conform to various policies. It is the role of technology to enforce this conformance to policy, to provide the means to prove conformance and to reduce the cost and effort of conformance on a day-to-day basis.

CXO. How, in particular, have changes in the financial services landscape impacted on the challenges facing organisations and their requirements from technology?
PG. A host of new laws govern the manner in which companies gather, secure, use, verify and report certain kinds of information. While the threat of litigation, fines and penalties under these laws may be strong motivation for businesses to comply, many businesses also appear to be using this opportunity to think more strategically about the role of IT in the company’s overall business decision making process. These companies appear to be discovering that a risk-based approach to compliance with these new laws can actually create benefits beyond compliance – specifically, they may be finding that a robust IT controls strategy achieves compliance objectives while increasing IT efficiency and effectiveness.

Compliance requirements are forcing many companies to adopt more forward looking corporate IT governance processes and elevate change management from being primarily an IT issue a key element in the larger corporate decision-making process.

CXO. What are the main security concerns for financial institutions and how can your solutions help companies to ensure the security of their IT networks?
PG. Many security solutions are about prevention and stopping external, unauthorised entities from accessing the organisation’s systems. However, they do not prevent mistakes or a malicious attack from within. Preventive controls are not enough you also need detective controls and the ability to reconcile changes both authorised and unauthorised....

As with any organisation, change is a primary, yet often overlooked security threat. IT must now address challenges to maintain a secure state and comply with regulatory requirements.

An organisation that uses effective controls to improve their processes typically has far better availability, lower amounts of unplanned work, better security, and incidentally, smoother audits.

CXO. Where do companies implementing this change auditing software see the ROI come from, and are there other, less quantifiable benefits?
PG. Tripwire Change Auditing solutions go beyond basic change and configuration management tools to provide independent detective controls that enable enterprises to reduce operational risk and gain control over IT systems. They also deliver the objective reporting needed to monitor the security of your systems, gain visibility across the enterprise, increase the availability of critical IT infrastructure and provide the proof to satisfy compliance and security audit requirements. As a result organisations have significant credibility during an audit and this leads to significantly reduced audit costs over time. IT Process Institute found that high performing organisations that embraced effective IT controls spent less than half the effort on compliance.

By auditing change across the network, Tripwire ensures the integrity of IT infrastructure – meeting today’s strict demands for accountability and security of information. Unplanned work is reduced which lowers costs and allows more time to focus on planned and strategic projects to give the organisation a competitive advantage.

Tripwire Enterprise 5.2 provides a single point of control for detecting, reconciling and reporting change activity across servers, desktops, network devices, and a growing number of other infrastructure components.