2. Agenda
[ The Need ]
[ The Approach ]
[ Configuration Standards ]
[ Change Control – SDLC Validation ]
[ The Results ]
3. The Need
[ Customer Needs ]
Hawaiian Airlines - $1B International Airline
• Sarbanes-Oxley
• PCI
National Retailer - $1.45B, ~900 Stores
• PCI
• Sarbanes-Oxley
4. The Need
[ PCI ]
Required Standards
[ IT General Controls (SOX 404) ]
Verification of Change
[ Universal Goals ]
Improving Quality of Production Implementation
Consistency of Production Systems
Reduce Time to Test + Audit
5. The Approach
[ Focus on Maturity ]
Effectiveness of Controls
Efficiency of Testing + Audit
Repeatability + Service Levels
[ Develop the Process First – Tool Later ]
6. The Approach
[ Rule 1: “Trust is not a Control.” ]
- KPMG Sr. Mgr.
[ Rule 2: “Always Give Something Back.” ]
- Daniel Blander
7. Best Practice I:
Configuration Standards
[ Step 1: Develop + Document Standards ]
[ Step 2: Configure Your Systems ]
[ Step 3: Tripwire Configuration Assessment ]
[ Execution Details ]
Eight Hours of Work per System Type
Make it Your Own – Customize and Test
8. Best Practice I:
The Real Results
[ Red Line – Old Audit + Old Compliance ]
[ Green Line – New Standards + New Compliance ]
Ad-Hoc
Configuration
Changes
Audit Defined Standards +
Tripwire
1 2 3 4 5 6 7 8 9 10 11 12
9. Best Practice I:
The Real Results
[ Give Back + ROI ]
Visibility to Change for All of IT
Reduced Variances
Reduced Testing Time - 150 Hours to 2
10. Best Practice II:
Change Control Verification
Program Change Management - Applications
INITIATION DEVELOPMENT TESTING APPROVAL IMPLEMENTATION POST-REVIEW
Business
Input User Post
Testing
Unit
Change Implementation
Performed
Request Review
Request is
Business
Owner
Reviews and
Reviewed
approves
and
testing
Approved
Developer
Developer
checks out code, Code
makes changes, reviewed
checks code by Team
back in.
Configuration
Code Changes
Manager
moved to moved to
TEST Production
environment
Control
Change
Submitted to
Board
CCB for
Approval
IT Security
Review Changes
in Tripwire
Promote by
Compare
11. Best Practice II:
Change Control Verification
[ Requirements ]
Segregated Environments – Dev | Test | Prod
Prior to Changes Test Must Match Prod
Deployment in Test is Deployment in Prod
[ Implement Tripwire – “Promote by Compare” ]
12. Best Practice II:
Change Control Verification
[ The Control – Verification ]
Change is Implemented in Test
• Testing Is Conducted + Approved
• Snapshot of Test Environment Captured by Tripwire
Approved Change is Implemented in Production
• End Users Verify Functionality
• Information Security Verifies Change with Tripwire
• Promote by Reference
13. Best Practice II:
Change Control
[ ROI ]
Trust of Auditors in Change Validity
Improved SLA – Quality and Accuracy
Quality of Implementation Improves
[ Musings ]
Use of VMware
14. Take This Home With You
[ Process First – Then Tools ]
[ Make Sure the Effort Gives Something Back ]
Real ROI – not FUD
Culture of Consistency
Improved Delivery
Efficiency Through Automation ($24k Savings)
15. Questions
Daniel Blander
Daniel.Blander@techtonica.com
(714) 815-3653