Netwrix, developers of Netwrix Auditor, recently released a survey of 577 IT professionals showing many organizations - especially smaller IT teams - lack either change management controls, documentation of completed changes or both.
Some of the specific findings included:
• Undocumented changes were happening at 57% of surveyed organizations
• IT Departments at 62% of organizations had no real ability to audit changes
• Changes led to service interruptions at 65% of entities; and
• At 17% of Large Enterprises, a change had been found to be the root cause of a security breach
Although the these results are shocking, I don't find them surprising. I have seen the factors that lead to these results both as a member of IT staff and as an external IT auditor. Although IT Change Management is a foundational part of every IT Department’s mission and most people would agree that weakness in Change Management leads directly (as this survey shows) to increased system downtime, security breaches, internal and external threats, and reduced operational efficiency.
Change Managment is a task that competes for resources (mainly time and budget) with a variety of other tasks and missions. If IT itself tends to be a "cost-center" and part of the plumbing (necessary, but not "sexy"); then Change Management is the epicenter of "plain-Jane" invisibility.
Except that if you can't maintain appropriate controls (including disciplinary controls) over this area, then the entire IT function is compromised. This is the "blocking and tackling" of IT. It doesn't matter how fast or powerful that expensive new system is if it suffers too much downtime or is compromised internally or externally.
The majority of organizations surveyed reported they had Change Management process controls in place, although this declined with the size of the organization. The lack of Change Management process controls was even more pronounced when measured against IT Staff size. Although 38% of organizations stated that they had systems in place to audit changes, many of those respondents were relying on system log data as their change audit system. While system logs contain important change-related data, its presence is no guarantee that it’s in a meaningful format.
This opens the door for the most eye-opening finding, that 57% of respondents were making continual periodic changes that were not documented. 7% of respondents reported making continual periodic undocumented changes daily, 21% reported making them weekly and 20% reported making them monthly.
Many of the organizations surveyed had processes in place and/or documented known changes, but without having knowledge of all the changes to systems that occurred they had no way of measuring the effectiveness of their Change Management controls. This enabled IT staff to make changes to systems without over-sight, risk-assessment, or documentation of completed changes to refer to in the event of service interruptions or security events. And this was true (to a greater of lesser extent) regardless of entity- or IT Staff-size.
Given the potential risks to organizations, IT Change Management (and the ability to verify the effectiveness of the process) is key to limiting the risk of both security incidents and service interruptions. Organizations of all sizes would be well advised to consider whether the resources that are devoting to the Change Management process is really appropriate. If you can't successfully and repeatably make a change to a system or infrastructure, you're entire entity is at risk.
No comments:
Post a Comment