Hal Pomeranz and I did a webinar called “Ditching the Infosec Stereotype: Part 1: Fixing Broken Change Control Processes” a couple of weeks ago.
As I mentioned in a previous blog entry, I’m a big fan of Hal. I loved the work he’s done at places that had truly mission-critical environments, including at eBay, Cendant and Google. He and I, along with Kevin Behr, share a common passion of how to deliver kick ass IT, or as I’ve called it over the years, have amazing IT kung fu.
The webinar went great, but I think we were both surprised by the number of questions that we got from the webinar attendees. We had 22 questions get posted, of which we could only answer a couple.
So, we earlier today, we did a second webinar (post link), just answer some of these questions. Over the next couple of weeks, I’ll be posting answers to some of them.
Question: How Should I Engage Internal Audit In The Change Management Process?
By the book, audit engagements has four distinct phases: planning, fieldwork, reporting and follow-up. Life in IT management sucks when your time with auditors is dominated by preparing and undergoing audits as they do their fieldwork (imagine teams of auditors showing up with suitcases). Or actually, far worse, when they’re walking you through their findings, extracting promises from you to have them fixed within 90 days in front of your boss.
Obviously, the way to reduce time spent in both of these areas is to have an effective change management processes, with both preventive controls (e.g., defined policies, defined authorization levels, defined consequences when people go around the process, etc.) and detective controls (e.g., monitoring and reconciliation controls like Tripwire). This allows you to assert and substantiate that you have no unauthorized changes.
But, provided that you have these controls in place, there is also a less formal way that you can help increase auditors’ perception of controls assurance. That’s to proactively reach out to internal audit, and offer them a standing invitation to join any of your change management meetings.
For them to even sit in even one change management meeting allows them to observe and formulate on the effectiveness of the process. They will hopefully see how the meeting is being effectively run, how changes are evaluated and authorized, reviewed after their scheduled implementation, and how failures, exceptions and unauthorized changes are handled.
In auditor parlance, observation is one of the types of evidence that auditors can use to support their opinions on the effectiveness of controls. (The other types of evidence include surveys, testing and independent sources.)
If the auditor observers that no one is showing up to the change management meetings, authorizations are rubber stamped without any real evaluation, unauthorized changes and unplanned outages are occurring regularly, then she will likely flag this as a potential high risk area.
However, if the auditor observes that the meetings are competently run, changes are documented and planned, authorization are thoughtful and considered, and unauthorized changes are quickly dealt with, then this is likely to be viewed as a lower risk area. Consequently, they will likely spend less time in their fieldwork doing change control testing.
Contrast this to some organizations that spend hundreds, sometimes even thousands of hours, working in emergency projects to try to “clean house” before the auditors arrive to do their testing. This is what leads to sometimes absurd behaviors, such as closing 6000 change control tickets in one day.
Hal noted during the webinar that this level of transparency is good to extend not only to audit, but business stakeholders as well.
So, to summarize. Reach out proactively to your friendly internal IT auditor that you may have worked with in the past, ask for a meeting to share respective views of risks that the IT change control processes are designed to mitigate, offer to have someone on their team observe one of your change management meetings, sending them the relevant policies first.
This will help built a mutually respectful working relationship, help build an ongoing dialogue about risks, as well as provide transparency to them about how the change management process is being run. If the change controls are actually working, this can dramatically reduce the amount of time the auditor spends in the fieldwork, reporting and followup phases of the audit.
Questions or comments? Feel free to send me a note on Twitter! I’m @RealGeneKim.