IT Controls: How and Where Do You Start?By Kevin Behr, Gene Kim and George Spafford Practitioners in information technology (IT) face pressures on many fronts. In addition to demands to become more efficient, IT must now address challenges to maintain a secure state and comply with regulatory requirements.
Practitioners in information technology (IT) face pressures on many fronts. In addition to demands to become more efficient, IT must now address challenges to maintain a secure state and comply with regulatory requirements.
The Visible Ops handbook provides step-by-step guidance and a prescriptive roadmap for organizations starting or continuing their IT process improvement journey. It is accessible to business management, security, and auditors because it is controls-based. By being based on controls, not only are regulatory issues addressed, but controls help provide the reliable delivery of IT service. Visible Ops identifies key issues that undermine service levels and security, and provides prescriptive guidance to address them.
Although IT operations, security and audit have very different roles, the three groups are often needlessly at odds because of the lack of effective controls. By improving processes and controls, all parties benefit by creating a more productive working relationship and allowing the groups to more efficiently achieve common business objectives.
- Posture of compliance-Trusted working relationship between IT operations and auditors, because controls are visible, verifiable and regularly reported on.
- Culture of causality-Through the use of controls and metrics, these groups identify and solve problems through logical use of cause and effect, instead of a culture of "let's see if this works"
- Management by fact-These organizations value controls and metrics, not only to aid effective problem solving, but to aid fact-driven decision making, as opposed to "management by belief" or "management by the honor system."
This process area covers maintaining production infrastructure, not only to prevent service interruptions, but also to efficiently deliver IT service. This is done through change management, as well as asset and configuration management. BS 15000 defines change management as well as asset and configuration management as primary controls. As Stephen Katz, former CISO of Citibank, once said, "Controls don't slow the business down; like brakes on a car, controls allow you to go faster."
Auditors often view the world through the lens of risks and controls. Risks exist, and you can mitigate them by either preventing or detecting them, and you should always be able to make corrections and recover should the risks actually happen. To explain this better, here are the three categories:
- Preventive-Controls that keep something from happening. For example, policy, separation of duty, and authorization processes are all preventive controls.
- Detective-Analytical controls that monitor activity and processes to determine if the preventive controls have failed or if something is out of compliance. For example, change monitoring and verification are detective controls.
- Corrective-Corrective controls restore the situation back to the expected state. For example, if a system crashes due to a failed change, reloading all applications from the last known good image to bring the system back online serves as a corrective control. The combination of the three types of controls creates a system of checks and balances to help ensure that the processes, people, and technology operate within prescribed bounds.
Counting the Beans
Separation of duties ensures that no single person has complete unchecked access to do unauthorized things. Because lack of segregation can create nearly endless opportunities to commit fraud, developers are not allowed access to production processes where they can directly make changes in regulated environments. Instead, they must develop the code, then forward it to testing. Once there, the operations team can review the change, assess risks and deploy it into production if everything is acceptable.
These days, many audit concerns are driven by regulatory compliance needs that are required by the industry or that assure the integrity of financial reporting. At one time, auditors and bean counters checked to see if the financial statements were correct by opening up all of the warehouses and counting all the "beans." In this way, they could verify that the financial statements matched what they physically observed.
However, even the best auditors have finite time and resources. Instead of going into the warehouse and counting beans, they go to the bean counting machine and check the controls to determine whether the machine can be trusted. In most cases it is best to have a combination of preventive and detective controls. If neither exists, or if they are inadequate, the auditors cannot trust the results of the bean counting machine.
This erodes their ability to rely on anything the bean counting machine did, and requires opening up the warehouses, and--guess what--counting the beans. In other words, without assurance that proper controls exist, far more scrutiny is required, thus incurring substantial costs.
"Visible Ops is a methodology that comprehensively responds to major issues I have raised over and over again in my long career in financial and technology auditing," said Ruby Christina Bauske, Lead Technology Auditor. "To attest to the reliability of systems, auditors need to see: controls in place, controls documented, controls communicated, and evidence of the controls in action. Visible Ops shows IT managers how to build their operational processes so they can answer the auditors" eternal question: "How do we really know?""
The Road to a Smoother Audit
To create a more productive working relationship with auditors, the organization needs to be able to clearly describe its preventive processes and the detective controls that prove they work as expected. A main premise of Visible Ops is that controls serve an important purpose to ensure that our processes achieve the desired business objectives and that controls are not in place simply to generate positive audit findings or to comply with regulations. After all, a customer would not feel safe if the restaurant only complied with health codes to keep the inspectors at bay. They would be happier if the restaurant handled food with care to keep customers healthy, happy and improve their overall dining experience.
IT is no different. An organization that uses effective controls to improve their processes typically has far better availability, lower amounts of unplanned work, better security, and incidentally, smoother audits.
"Visible Ops provides the IT practitioner at any level with a catalytic approach to improving operational controls," said Bill Shinn, a System Security Engineer with a Fortune 100 financial institution. "The Visible Ops toolset helps organizations find a toehold in spite of sheer cliffs of chaos. If you are looking to start or improve configuration management, champion a repeatable server provisioning process, and institute meaningful metrics that breed quality decisions, Visible Ops is the place to start. I recommend this to any IS Management, as well as any senior management with a technical background or IT staffers with management ambitions."
Visible Ops presents a framework that creates productive interfaces between IT operations groups, security and audit, through repeatable, verifiable and auditable IT processes. By exposing IT controls and acceptance points, security and audit are able to review changes before they are implemented, and detect when these controls are circumvented. These controls are used not just to avoid circumstances which can lead to security incidents or unplanned work, but they also allow the continual monitoring and reduction of variance.
Monitoring changes gives us a critical safety mechanism, just like a rock climber with a ratchet. The ratchet allows the rope to move in one direction, preventing the climber from falling. Monitoring change to enforce the process prevents our organization from sliding back into a state of uncontrolled change.
"It is not that we don't make mistakes anymore, but we have become more scientific in our approach to mistakes," said Steve Darby, vice president of Operations, IP Services. "Mistakes are seen more as learning experiences and the mistakes have become fewer and farther between. The processes and detective controls have helped us realize many of our goals in the pursuit of world-class IT management."
Excerpted from "The Visible Ops Handbook, Starting ITIL in 4 Practical Steps" by Kevin Behr, Gene Kim and George Spafford. Copyright 2004 by the IT Process Institute (ITPI); all rights reserved.