auditing

Why are IT operational controls so important? In most large businesses, critical finan-cial processes run automatically on avast, complex computing and network-ing infrastructure. It’s tempting tobelieve that this infrastructure is a mon-umental, unchanging entity and oncepolicies are established and the systemsare running, everything is fine. In fact,IT operations are often surprisingly andalarmingly fluid.

New servers and network devices are putinto production. New software is installed.Old software is patched. Hundreds of con-figurations change daily. Systems canchange from a known good state eitherintentionally or via a process known as“integrity drift.” Security breaches or unin-tentional errors create vulnerabilities that

go unnoticed. Even remedying securitybreaches or patching software can causechanges that are never fully documented.

The need for effective change manage-ment is driven by two factors: compliancewith Sarbanes-Oxley Section 404 and theneed to drive towards operational excel-lence. First, it is clear to auditors thatfinancial applications reside on top ofinfrastructure systems. Indications ofpoor service levels are an immediate flagfor control issues. The ERP system maybe running flawlessly, but if nobody canreach it due to a network failure, failedsystem upgrade, or improperly testedbusiness rule change, then there areissues. For today’s organizations to oper-ate effectively, access to systems mustadhere to defined service levels.

According to the InformationTechnology Infrastructure Library (ITIL)

and BS15000 frameworks, as well as audit-ing and control frameworks such asCOBIT and COSO, IT operationalintegrity hinges on change and configura-tion management processes. Proven integri-ty assurance software can verify that theseprocesses are actively managed and thatmonitored systems match a known, goodstate. When organizations put internal con-trols in place for meeting compliance regu-lations the only way to assure that internalcontrols are effective is to assure the integri-ty of the critical underlying IT change andconfiguration management processes.

What is the silver lining? When IT bestpractices and integrity assurance frame-works are implemented, organizationscan not only evaluate systems and con-trols against a known good state and meetcompliance regulations, they gain under-standable, verifiable information enablingthem to significantly improve systemsavailability, IT service quality, IT staffproductivity and cost savings.

What is Sarbanes-OxleySection 404?Section 404 of the Sarbanes-Oxley Act of2002 holds executives of publicly heldUnited States companies responsible forthe accuracy of financial statements andfinancial information issued by theircompanies. They must also analyse andexplain their procedures for internalfinancial controls based on standards setby the Public Company AccountingOversight Board. Soon, these analysesand explanations will have to be reviewedby external auditors who must attest totheir effectiveness.

12

Sarbanes-Oxley, FraudPrevention, and IMCA:A Framework for Effective Controls Assurance

Gene Kim,VP & CTO,Tripwire

Many companies are starting to grapple with the new regulatory complianceimpacts of Sarbanes-Oxley, which holds officers of US publicly held companiesaccountable and responsible for the internal system of controls. For many, espe-cially auditors and risk management officers, Sarbanes-Oxley represents anextremely rare opportunity to increase controls assurance to reduce the risk offraud. Most organizations facing the enormous scope of Sarbanes-Oxley are over-whelmed by its scope, and are sometimes hampered by the perception that com-pliance will create not only an enormous amount of work, but will provide littlevalue back to the business.

and stolen assets. The civil courts arealso able to award damages to a victimof corporate espionage. The Ordersavailable to obtain disclosure of assets,freeze those assets and search for evi-dence are also extremely flexible andcan be tailor made to assist in a givensituation. The advantage of pursuingcivil proceedings is an enhanced chanceto recover damages and property which

may not be the case if criminal proceed-ings are commenced.

References1Metro 25 July 20032KPMG's India Fraud Survey Report2002 3Global Risk News: Corporate espi-onage: Are you safe? Merchant

International Group - June 5 20034Business Software Alliance Press Release:BSA and IDC Announce Findings ofLargest Ever Study Into Software Piracy(2/04/2003)5BBC News UK edition Sunday 13 July2003 10:53 UK6Dyson Appliances Ltd V Hoover Ltd(2001)[2001] EWCA Civ 14407ACFE UK Fraud Manual Volume II

auditing

13

According to the Institute of InternalAudit, reliability of internal controls andfinancial reporting depends on technicalcontrols such as change managementand monitoring of information, systems,programmes, and operational configura-tions. Financial reporting integritydepends on the integrity of IT systemsand processes that support financialdata. Auditors will look for and evaluatethe effectiveness of key preventative controls including:• Authorization processes establishing

procedures for authorizing transac-tions.

• Separation of duties to prevent circum-venting the authorisation processes.

• Effective change management employ-ing detective controls to ensure that allchanges go through established autho-risation processes .

• Effective change documentation of allauthorized infrastructure changerequests, change authorisations andresulting infrastructure changes.

• Documentation of exceptions orchanges made outside the changemanagement process; documentationof “ad hoc” fixes.

The role of ITIL best practices: a framework forverifiable and repeatableprocessesAn accepted framework for IT practiceshelps ensure that the necessary controlsare in place—and effective. The mostwidely accepted framework for themanagement and delivery of IT servicesis ITIL. More than 42 000 certifiedITIL consultants help companiesimplement ITIL best practices, primari-ly in Europe and Canada althoughincreasingly in the US.

The ITIL represents a process-basedapproach to IT activity. All activity isclassified under two broad umbrellas aseither Service Management or ServiceDelivery. Rather than basing best prac-tices on technology, ITIL focuses oncritical business processes and disci-plines needed for delivering high-quality

services. This approach defines IT quali-ty as the level of alignment between IT services and actual business needs. As aresult, organizations can mature theirbest practices without regard to specifictechnologies or obsolescence. ITIL’saccessibility makes it easier for seniorexecutives to both sponsor and shepherdIT quality improvement efforts.

ITIL provides a comprehensive, con-sistent volume of best practices drawnfrom the collective experience of thou-sands of IT practitioners. A series ofbooks guide organizations in the envi-ronmental facilities and practicalaccommodations required for provi-sioning quality IT services. Out of theITIL framework has emergedBS15000, the first standard for IT ser-vice management.

Three ITIL/BS15000 process areasrepresent the key leverage points for IToperations: Release, Controls andResolution processes.• Release processes—release processes

include planning, designing, building,and configuring hardware and softwarereleases to create an accepted library ofbuild components. With an acceptedlibrary of known good builds, organi-zations can ensure the integrity of sys-tem configurations at all times.Organizations typically invest in release

processes last; yet these processes deliv-er the highest return on investmentbecause they assure integrity of theentire pre-production infrastructurewhere the cost of defect repair is leastexpensive.

• Control processes—these processescontrol the number of unique configu-rations and assets required for efficient-ly delivering IT services. They alsoprevent service interruptions and unau-thorized changes. Configuration man-agement identifies all workinginfrastructure components and putsthese components under management.When implemented, control processesenable the IT team to plan ongoingmaintenance, ensure all critical itemsare maintained, and when necessary,recreate infrastructure.

• Resolution processes—these processesenable organizations to manage inci-dents and problems, while providingfor controlled, consistent managementof IT customers and issues.

Controls maturity spectrum – the road mapEven with a best practices framework, ITprofessionals still need a place to start.The first step is for an organization to

Figure 1: Best in class: server/sysadmin ratios

auditing

determine which systems and processeswork, and which don’t. Internal controlscan be characterised as being at one of fivelevels:• Unreliable—an unpredictable environ-

ment where controls are not designedor in place

• Informal—controls are designed and inplace but not documented

• Standardized—controls are designed,in place and documented

• Monitored—standardised controlswith periodic testing for effectivedesign and operation with reporting to management

• Optimized—integrated internal con-trols with real-time monitoring bymanagement and continuousimprovement

Risks and controls:modern IT realitiesEven when organizations have controls inplace and appear to manage them, thedesired high-control-reliance environmentmay not truly exist. Controls may be cir-cumvented in several ways, for example:• Management by belief

There is a well-documented changemanagement system, however it is notactively enforced. Consequently, datacentre staff routinely make changeswithout going through the requiredchange management process, which cir-cumvents the controls.

• Separate roles in theory.The organization has separated appli-cation development and application

operations tasks so that neither groupcan access the other group’s infra-structure. They are both supported bythe same technical support teamallowing a support engineer access toboth the development and opera-tional infrastructure, and thus, cir-cumvent controls.

• Uncontrolled configuration driftAn organization has an area for stagingapplications before production deploy-ment. After production, configurationsare allowed to drift and the originalknown good state is lost. This nullifiesaudit results from the pre-productionenvironment.

• shell gameAn organization frantically prepares fora scheduled audit, making the needed

14

Unreliable Informal Standardised Monitored Optimized

ControlsChange None Inconsistently Regular change Infrastructure Managementmanagement managed changes, management meetings, monitored for receiving and processes such as ensuring changes are changes, and correlated tracking change

change authorised and scheduled with authorised success rates and notification work orders and reinforcingannouncement integrity of change culture of

management process change management

Configuration None Inconsistent Comprehensive asset Infrastructure is Managementmanagement documentation of and configuration monitored to ensure receiving andprocesses infrastructure assets management database that deployed setting targets

con-figurations, of relevant assets and infrastructure for number ofversions, dependencies to matches configuration uniqueservice levels, business processes management database configurations inbusiness process deployment and

operationalstaffing and costs

ResolutionService High number of High-risk changes Stakeholders have Causal factors of outages Management isleve outages and protracted are sometimes averted regular forum to are being used in receiving and settingstability problem resolution at the last minute authorize and analyze problem management, targets for MTTR,

times. Highly through change potential impacts of and frequency of MTBF, and changeunpredictable service notifications. However, changes, before being outages is decreasing success rateslevels, with inconsistent high outage made in production.MTTR and MTBF rates remain. Some changes that wouldwith efforts increasingly result in outages arefocused on fire-fighting being prevented.

ReleaseRepeatable Infrastructure changes Some documentation Majority of Relevance of release Management isbuild and are deployed into and process exists infrastructure changes management processes receiving and settingacceptance production in an for deployment being made through being tracked by targets for process ad hoc manner, and change application. the release management auditing configurations configuration counts, and

and are non- Slower rate of processes, slowing in deployment against release managementreproducible. increase of unique down increase of "known good state" processes areNumber of unique configuration counts configuration counts delivering higherconfigurations in levels of platformdeployment stability and featureincreasing quickly delivery

Table 1: Standards of Internal Processes

auditing

changes. During audit interviews andinspection, the auditor sees the config-urations and compares for them.However, when the auditor leaves, allconfigurations are rolled back into anon-complying state.

Using IMCA as a controlsself-assessmentAssessing and documenting a compa-ny’s current level of assurance can begreatly simplified with a standardizedassessment tool. Assessment results canthen clearly point the way to necessarypractice improvements. The IntegrityManagement Capabilities Assessment(IMCA) is a benchmarking and assess-ment tool based on ITIL and the BS 15000 Code of IT practice. TheIMCA assesses Control, ProblemManagement (Resolution), ReleaseManagement, and Security processesand assigns the organization a score ineach area. It provides organizationswith two critical perspectives:

1. A descriptive view—captures aclear, detailed picture of an organiza-tion’s current control strengths andweaknesses and how the controls areoperationalized and verified.

2. A prescriptive plan—presents spe-cific recommendations based on the ITenvironment being measured so that theorganization can augment or bootstrapnecessary controls. Part of the prescrip-tion for improvement is a comprehen-sive report and an evaluation standardfor measuring how well a company’scontrols meet Sarbanes-Oxley compli-ance requirements.

Putting the IMCA into practice

IMCA assessments begin by interviewingkey participants from each of the organi-zation’s primary IT disciplines. A com-pleted questionnaire is used to score IToperations in its Release, Control,Resolution and Security control capabili-ties. Scores are then compared with aggregate data from other companies in the same industry as well as with indus-try best practices. Final results are

delivered in a comprehensive report that documents strengths and areas for improvement.

Release processes

Release processes capture and store thegood known state of all infrastructure con-figurations. With these captured, an orga-nization can quickly recreate a known,good configuration in the event of an inci-dent such as a disaster, security breach,vendor failure, or a virus or worm out-break. Release processes also efficiently andreliably deliver changes into the produc-tion environment, including softwarepatches and upgrades. Assured releaseprocesses ensure that provisioned systemsmatch the known, good builds and that allconfigurations have repeatable builds.

Control processes

Control process assurance ensures thatchanges to production configurations arereliably controlled and applied. Thisincludes assuring that all changes can betraced to a valid business reason and thatSecurity, Operations, and R&D or other

stakeholders have evaluated changes forpotential operational risks before deploy-ing them. The IMCA examines an orga-nization’s operational controls andconfiguration management practices.Stakeholders must review all proposedinfrastructure and software changesbefore they are made, ensuring a known-good repository for all standard configu-rations used across the enterprise andpreventing configuration drift anduncontrolled changes.

The sample IMCA assessment showedthat no formal change managementprocess is documented and there is noconsistent change authorization process.The assessment also uncovered the lack ofdetective controls to map changes to validbusiness reasons, resulting in loss ofprocess integrity during change and con-figuration management. Despite havingrollback capabilities to revert infrastruc-ture into a known good state, this capa-bility was never used because of a lack ofintegration between IT operations andR&D. Consequently, IT operations staffhave little or no ability to maintain stableand predictable service levels.

15

Figure 2: In the example IMCA report above, the organisation hasworld-class release management processes in two areas, but had clearcontrol deficiencies, especially in integrating security into IT operationalprocesses. In this case, security and change management stakeholdersare not sufficiently involved in release planning processes. As a result,issues caused unnecessary rework and chaos. Furthermore, despitehaving formal operations acceptance processes, some releases stillwent into production without sufficient review.

Resolution processes

This part of the assessment analyzes thecompany’s problem managementprocesses with the goal of decreasingMean Time to Resolve (MTTR) outages.Studies show that up to 80% of all sys-tem outages result from authorizedemployees changing something in theinfrastructure. When an outage occurs,the most time-consuming part of reme-dying it is pinpointing the location andnature of the problem. Assured resolu-tion processes not only minimize out-ages and fire-fighting time, they alsoimprove diagnosis and problem manage-ment practices.

The sample IMCA assessment clearlyidentified an inability to rule out changeas a causal factor early in the problemmanagement process. Best-in-class orga-nizations will integrate all relevant evi-dence into the problem ticket to ensurethat causality and problem solving skillsare used as part of the problem resolu-tion process. The underlying issues thatcaused poor service levels, although verymuch a property of resolution processes,stem from controls and release processproblems.

Security processes

Security is a by-product of many otherprocesses and controls operating togethereffectively. The IMCA examines an orga-nization’s ability to understand theknown good state of its IT infrastructure,govern how it is configured and built, anddetermine whether a change is maliciousor authorized.

The benefits of IMCA and IToperational processesOrganizations that assess their integritymanagement controls and processesgain valuable insight into strengths,weaknesses, and areas of risk. With theinformation that IMCA delivers, chart-ing a course toward best-in-class IToperations can be made tangible andmeasurable. IMCA enables organiza-tions to:

• Establish a beach head for operationalbest practices, allowing future process improvement.

• Create a set of metrics for measuringprogress, such as high server/systemadmin ratios, low MTTR, high MeanTime Between Failures (MTBF), andearliest integration of security intooperational lifecycles.

• Target weak areas for quick wins andimmediate benefit.

• Create hard organizational changeboundaries to improve accountabilityand responsibility.

• Enforce change management processintegrity.

• Measure and articulate the businessbenefit of process improvements.

• Use the reporting mechanism to meetSarbanes-Oxley controls assurancerequirements.

Once these repeatable and verifiableprocesses are in place, IT organizationscan start generating key metrics duringrelease, control, and resolution processesensuring that practices are working.These metrics include:• Release processes.• Time to provision known, good build.• Number of fixes/turns to match

known, good build.• Percentage of deployed systems that

match known, good build.• Percentage of deployed systems that

have security sign-off.• Number of pre-production engineers.• Servers/platform-build ratio.• Control processes.• Number of changes made in data

center.• Percentage of changes that were

pre-announced.• Percentage of changes going through

change management system.• Number of changes that map to

authorized business reason.• Percentage of outages caused by

change.• Number of changes that obsolete

repeatable builds.• Ops “clean shift handover” success

rate• Number of outages caused by change.

• Number of times change managementprocesses were circumvented.

• Number of changes that obsoleterelease processes.

• Resolution processes.• Outage and issue MTTR. • Number of critical outages.• Number of problems. • Number of known errors.• Aggregate outage downtime.• Number of inappropriate escalations.• Change success rate. • MTBF.• Percentage of time spent managing

problems.• Server/sys admin ratio.

The silver lining: what’sgood for IT is good for auditAccording to a study conducted by the ITProcess Institute, organizations thatinvested the most in implementing bestpractices reaped the most benefits:• Higher service levels. • Better security. • Efficient cost structures.• Control structures most effective for

detecting fraud and unauthorized change.Ensuring compliance with Sarbanes-

Oxley is an opportunity for organiza-tions to greatly improve operationalstability and efficiency. Accepted bestpractices, ITIL, guide the way. Provensoftware solutions and leading networkmanagement frameworks put teethbehind best practices. Internal controlsput in place now to comply with regula-tory mandates will soon pay off in a sil-ver lining—greater security, significantcost savings and high-quality informa-tion services.

To find out more about IMCA, go tohttp://www.tripwire.com/imca orhttp://www.itpi.org. (At the time of thiswriting, all the intellectual property ofIMCA has been donated to the ITProcess Institute, and the content is beingmoved to the ITPI website.)

For more information about ITIL, visithttp://www.ogc.gov.uk/itil/. For moreinformation about BS15000, visithttp://www.bs15000.org.uk/.

auditing

16