Transcription
Introduction to ChangeManagement and SDLCSteve OwyoungSr. ManagerKPMG LLP, IT AdvisoryDoug MohrlandAudit ManagerOracle Corporation
Discussion topicso Why change management and its significanceo Types of changes in production environmento Change management controlso Impact of weak change management controlo Integrity managemento Change management leading practiceso Software Development Life Cycle (SDLC)2
Why change managementand its significance?1234Why changemanagementand itssignificance?Types ofchanges act ofweak leadingpractices7SoftwareDevelopmentLife CycleOrganization3
Why change managementand its anagementleadingpractices7SoftwareDevelopmentLife Cycle14%11%75% - 90%OccupationStudents4Computer fraudClericalUsers3ApplicationProgrammers2Types ofchanges act ofweak changecontrolTotal fraud losses in the United Statesestimated to be 994 billion in 2008Of all the computer crimes reported:Others1Why changemanagementand itssignificance?Managerscomputer crimecommitted byformer or currentemployees(knowledgeableinsiders)4
Why Change Managementand its significance?1234Why changemanagementand itssignificance?Types ofchanges act ofweak leadingpractices7SoftwareDevelopmentLife CycleChange management – it is significantbecause it helps an organization to beefficientAdapting tochangeControllingchangeEffectingchange5
Types of changesChanges in production environment1234Why changemanagementand itssignificance?InternetTypes ofchanges act ofweak leadingpractices7SoftwareDevelopmentLife CycleNetworkEquipmentPhysical Control6
Change management controlsPlanned/routine maintenance changes procedure and controls12Why changemanagementand itssignificance?Types ofchanges mpact ofweak leadingpractices7SoftwareDevelopmentLife Cycle7
Change management controlsEmergency/System Recovery change procedure and controls123Why changemanagementand itssignificance?Types ofchanges pact ofweak leadingpractices7SoftwareDevelopmentLife CycleEMERGENCYCHANGESThe change requestorsolicits managementapproval (verbal isacceptable)Approved bymanagement or by thestaff managing theproduction systems?YesTestrequired?Notify all theconstituents beforeproductionimplementationNoImplement changeinto productionYesCHANGE REQUESTORRequest a change (completean Emergency ChangeRequest Form)NoThe staff managing theproduction systems performprofessional judjment and makea decision whether to proceed orcancel the emergency changeYesPerform testing(test environment)YesTestpassed?The changes and theback out plansshould bedocumented in theChange RequestForm for latermanagement reviewNoSYSTEM RECOVERYThe production support staffimmediately respond andstart resolving the issuePerform postimplementationmonitoring8
Impact of weak change controls123Why changemanagementand itssignificance?Types ofchanges pact ofweak leadingpractices7SoftwareDevelopmentLife Cycleo Financial loss Brand/reputational damage Losing a customer/ businesso Legal exposure (sensitive data disclosure)o Unplanned, unauthorized andundocumented changeso Prone to system attack / outages (DoS)o Misuse of resources (unplanned work)9
Integrity management1234Why changemanagementand itssignificance?Types ofchanges act ofweak leadingpractices7SoftwareDevelopmentLife Cycleo Prevention– Restrict logical access Firewall, IDS, OS and Application– Unnecessary services Disable at the servers Block by the firewalls– Restrict physical access Restrict physical access that houses criticalsystems to ONLY authorized employees Perform periodic physical access reviews10
Integrity management1234Why changemanagementand itssignificance?Types ofchanges act ofweak leadingpractices7SoftwareDevelopmentLife Cycleo Detection– Monitor metadata and look for changes Create, store and monitor baseline metadata values Metadata values: modification time, file size andcryptographic checksum– Integrity Management Software Reads files or directories to monitor– critical network configuration, data files,customer database files, documents andspreadsheets Takes action when a violation (change) occurs– Intrusion detection (IDS)11
Integrity management1234Why changemanagementand itssignificance?Types ofchanges act ofweak leadingpractices7SoftwareDevelopmentLife Cycleo Recovery– Maintain a backup copy of the productiondata– Identify changes based on the IntegrityManagement Software report– Determine whether a change is authorized ornot– Restore a file if the change is deemedunauthorized or malicious12
Change management leading practices1234Why changemanagementand itssignificance?Types ofchanges act ofweak leadingpractices7SoftwareDevelopmentLife Cycleo Change management policy, procedureand standardso Change request managemento Approval processo Deployment managemento Change result managemento Monitor application and networks13
Change management leading practices1234Why changemanagementand itssignificance?Types ofchanges act ofweak leadingpractices7SoftwareDevelopmentLife CycleChange management policy, procedure and standardso Prioritize/categorize changes based ondowntime, lead time, type of services andseverity of the change (Low, Medium, HighUrgent)o Roles and responsibilities––––Define and designate qualified personnel’s rolesSegregation of duties (SOD)CommunicationEnforce change-management process14
Change management leading practices1234Why changemanagementand itssignificance?Types ofchanges act ofweak leadingpractices7SoftwareDevelopmentLife CycleChange Request Managemento Change Request Analysis– Business Analysis The likelihood of success Significance to business Resources required and business justification– Technical Analysis System dependencies Technical requirement Project estimateo Change Request Reporting– Make the change requests visible to management– Retain status of the change request when it isanalyzed, prioritized, tested and deployed15
Change management leading practices1234Why changemanagementand itssignificance?Types ofchanges act ofweak leadingpractices7SoftwareDevelopmentLife CycleApproval Processo Appropriate approval should be obtainedbetween the different phases of changemanagement processo Management approval should bedocumented16
Change management leading practices1234Why changemanagementand itssignificance?Types ofchanges act ofweak leadingpractices7SoftwareDevelopmentLife CycleDeployment Managemento Logical environment (separate) –Development, Test/QA and Productiono Deployment process– High category changes– Low/Medium category changes– Emergency changeso Leverage Technology– To provide auditability and versioningthroughout the deployment process17
Change management leading practices1234Why changemanagementand itssignificance?Types ofchanges act ofweak leadingpractices7SoftwareDevelopmentLife CycleResult managemento Key Performance Indicators (KPI) about theentire Change Management Process– Process bottlenecks, successfultechniques, etc.o Use the KPIs (by management) to makeadjustments to the change managementprocedure and practiceso Post change implementation monitoring18
Change management leading practices1234Why changemanagementand itssignificance?Types ofchanges act ofweak leadingpractices7SoftwareDevelopmentLife CycleMonitor application and networkso Integrity checks– using automated monitoring tools– Incident response Escalation processo Periodic reviews– User access – OS, apps, network, etc.– System configuration – servers, networkequipment, etc.19
Software Development Life CycleRelationship between change management and SDLC1234Why changemanagementand itssignificance?Types ofchanges act ofweak leadingpractices7SoftwareDevelopmentLife Cycleo Managing change is a critical component of anySDLC model— Change Management and SLDC are not mutuallyexclusiveo Change management occurs throughout thedevelopment life cycleo Cost of changes is higher once out ofdevelopment20
Software Development Life CycleRelationship between change management and SDLC1234Why changemanagementand itssignificance?Types ofchanges act ofweak leadingpractices7SoftwareDevelopmentLife Cycleo Waterfallmodel21
Software Development Life CycleRelationship between change management and SDLC1234Why changemanagementand itssignificance?Types ofchanges act ofweak leadingpractices7SoftwareDevelopmentLife Cycleo Iterative model––––Agile MethodologyRational Unified Process (RUP)Rapid Application Development (RAD)Joint Application Development (JAD)22
Software Development Life CycleRelationship between change management and SDLC1234Why changemanagementand itssignificance?Types ofchanges act ofweak leadingpractices7SoftwareDevelopmentLife Cycleo PrototypingMange Change23
Software Development Life CycleRelationship between change management and SDLC1234Why changemanagementand itssignificance?Types ofchanges act ofweak leadingpractices7SoftwareDevelopmentLife Cycleo V Model24
Software Development Life CycleTools to better manage change1234Why changemanagementand itssignificance?Types ofchanges act ofweak leadingpractices7SoftwareDevelopmentLife CycleooooRequirements ManagementVisual ModelingAutomated TestingChange Management25
Course Reviewo Why change management and its significanceo Types of changes in production environmento Change management controlso Impact of weak change management controlo Integrity managemento Change management leading practiceso Software Development Life Cycle (SDLC)26
Questions?27
Contact InformationSteve Owyoungsowyoung@kpmg.com415-963-7603Doug Mohrlanddoug.mohrland@oracle.com650-506-373728
AppendixTypes of Changes29
Types of changesOS changes (Host)1Why changemanagementand itssignificance?2Types ofchanges mpact ofweak leadingpractices7SoftwareDevelopmentLife Cycleo Applying OS patches– OS vendor recommendation– Opening/closing OS serviceso Re-imaging– As a backup plan when an OS updatedidn’t go as planned– As part of major/minor/emergencyapplication changes30
Types of changesNetwork changes1Why changemanagementand itssignificance?2Types ofchanges mpact ofweak leadingpractices7SoftwareDevelopmentLife Cycleo Software changes– Deploying OS– Patching OSo Configuration Changes– Updating firewall, router, switchconfigurationo Hardware changes– Adding/removing of networkequipment31
Types of changesApplication changes1Why changemanagementand itssignificance?2Types ofchanges mpact ofweak leadingpractices7SoftwareDevelopmentLife Cycleo Company specific application change– Major, minor and emergency changes– New releases– Bug fixeso Application configuration changeso Database changes– Schema changes– Database upgrades (version upgrade)32
Types of changesPhysical access change1Why changemanagementand itssignificance?2Types ofchanges mpact ofweak leadingpractices7SoftwareDevelopmentLife Cycleo Physical access to data center– Preventing root level access througha system console– Deactivating terminated employee’sphysical access– Deactivating temporary physicalaccess33
Types of changesLogical access change1Why changemanagementand itssignificance?2Types ofchanges mpact ofweak leadingpractices7SoftwareDevelopmentLife Cycleo OS Access Change– privileged access toproduction/mission- critical servero Application Access Change– privileged access toproduction/mission- critical applicationo Network Access Change– privileged access to network equipment34
oKey Performance Indicators (KPI) about the entire Change Management Process – Process bottlenecks, successful techniques, etc. oUse the KPIs (by management) to make 18 Change management . Software Development Life Cycle Relationship between change management and SDLC Types of changes
