Using the CMDB to Manage Controls

How the CMDB is architected and the level of control information tracked must be governed by the need to be meaningful and manageable to a given organization. On one hand, we could use the CMDB to track everything. On the other hand, that is neither realistic nor cost effective. We need to make doing the right thing easy for the people performing data entry as part of their jobs.

The more difficult and time consuming it is then the more likely there will be errors, people avoiding the system, etc. This then causes the “CMDB death spiral” wherein the system is so inaccurate people don’t use it. And, because they don’t use it, it gets even more inaccurate, etc. The spiral repeats until the system fails. How we choose to use the CMDB to track control and audit information needs to be done with careful deliberation to ensure the value is in excess of the costs both in terms of implementation as well as the ongoing costs in production.

In closing, the CMDB can be a repository of information for operations as well as for regulatory compliance and audits. By making information about IT general control processes and specific control activities accessible, the veil of confusion can be lifted and streamline the activities of audit and IT. This will result in lower compliance costs, lower audit costs, and better managed risks, not to mention lower stress levels.

George Spafford is a principal consultant with Pepperweed Consulting and a long-time IT professional. George's professional focus is on compliance, security, management and overall process improvement.