Search
Topics
  Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· FAQ
· Feedback
· Forums
· Search
· Statistics
· Surveys
· Top
· Topics
· Web Links
· Your_Account

Current Membership

Latest: LFurlong
New Today: 52
New Yesterday: 49
Overall: 148396

People Online:
Visitors: 54
Members: 0
Total: 54

Languages
Select Interface Language:


Major ITIL Portals
For general information and resources, ITIL and ITSM World is the most well known for both ITIL and ITIL Books. A shorter snapshot approach can be found at ITIL Zone

Related Resources
Service related resources
Service Level Agreement
Outsourcing

Note: ITIL is a registered trademark of OGC. This portal is totally independent and is in no way related to them. See our Feedback Page for more information.


The Itil Community Forum: Forums

ITIL :: View topic - Vulnerability Scanning Going through Change Management
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Vulnerability Scanning Going through Change Management

 
Post new topic   Reply to topic    ITIL Forum Index -> Change Management
View previous topic :: View next topic  
Author Message
MegaDuck
Newbie
Newbie


Joined: Sep 28, 2007
Posts: 7

PostPosted: Thu Jan 17, 2008 5:35 am    Post subject: Vulnerability Scanning Going through Change Management Reply with quote

There has been some recent discussion in my organizations on how to handle vulnerability scanning against production devices. While agents have been installed on all the target devices, my security group would like to run quarterly vulnerability scans.

The issue at hand is how to handle this request. Most people I have spoken to have agreed that "scanning" a server is not a change. It has been argued that it is an operational task. However, we have identifed the risk that scans can impact production servers by impacting performance. Because of this risk of impact, some people would like to classify the scanning event as a change.

The risk that we have of classifying the vulnerability scanning event, is that it would set precedence for similar type of events. For example, we could start getting into the business of managing Virus Scans, Altiris Discovery, Hardware/Software Discovery, and other planned operation that may affect service levels as a change. It has been argued that this is not a platform for change.

If that is the case, what is the best way to handle it? Or, how do you handle similar type of events which have known impact, requires approval and notification, but does not fall into an ITIL definition of a change?
Back to top
View user's profile
scar3face
Newbie
Newbie


Joined: Nov 21, 2007
Posts: 13

PostPosted: Thu Jan 17, 2008 10:23 am    Post subject: Reply with quote

Good question, I'm interested in the replies.
Back to top
View user's profile
dboylan
Senior Itiler


Joined: Jan 03, 2007
Posts: 189
Location: Redmond, WA

PostPosted: Thu Jan 17, 2008 10:37 am    Post subject: Re: Vulnerability Scanning Going through Change Management Reply with quote

Whether or not this is a Change is dependent on how you have structured the data in the CMDB. The implemented Change record should be the driver to update a state or attribute of a CI in the CMDB. If you are tracking "Last Scan Date" in the CMDB, then yes, the Scan would update that field. In which case, it should be handled as a Change request.

Personally, I wouldn't track that level of detail in a CMDB since it adds little value to my managing the inter-relationships of the IT infrastructure.

What it sounds like you should be doing is opening an Incident. Remember that an Incident isn't just an outage. It is any event outside the normal operation of a Service that causes, or may cause, an interruption or degradation in quality of that Service.

The scan sounds like an event that is outside the normal operation of a scanned device that might cause a degradation in the quality of the Service reliant on that device.

Don
Back to top
View user's profile
UKVIKING
Senior Itiler


Joined: Sep 16, 2006
Posts: 3318
Location: London, UK

PostPosted: Thu Jan 17, 2008 7:40 pm    Post subject: Reply with quote

To carry on from what Don said.

There should be at least an Incident ticket for this because this is happening.

If the scan is going to cause ANY noticeable impact on the service that is provided during the operational hours of a service, then a change request shoudl be raised merely to get the services imapct a chance to be aware

sort of like maintenance change requests
_________________
John Hardesty
ITSM Manager's Certificate (Red Badge)

Change Management is POWER & CONTROL. /....evil laughter
Back to top
View user's profile
Ed
Senior Itiler


Joined: Feb 28, 2006
Posts: 411
Location: Coventry, England

PostPosted: Thu Jan 17, 2008 9:31 pm    Post subject: Reply with quote

For me this is about Availability, not about Change - All that really needs to happen, is that the scans are run 'out of hours'.

The incident should be enough, if routed properly, to get the Availability guys aware of the issue.

Regards

Ed
Back to top
View user's profile
Skinnera
Senior Itiler


Joined: May 07, 2005
Posts: 121
Location: UK

PostPosted: Fri Jan 18, 2008 12:55 am    Post subject: Reply with quote

I would put this under Change, as it is a non-BAU activity that affects the status of the server and potentially impacts its performance.

Doing so also allows the CAB to test whether the proper checks & processes have been put in place to mitigate any potential risk, which is the purpose of any Change system.

It is not an Incident, as that's something we didn't expect to happen?

As for virus scans etc, they are BAU activities for me, so no need for Changes to be raised.
Back to top
View user's profile Send e-mail
Ines
Newbie
Newbie


Joined: Mar 21, 2006
Posts: 18

PostPosted: Fri Jan 18, 2008 12:21 pm    Post subject: "Informational change" Reply with quote

My org treats these as Informational Changes - There will have been a previous official RFC raised and approved to install the scanning software on the devices, with advise of its approximate running frequency.
Therefore, just a change record in the system, raised by the Change Manager, to warn of this event, given the potential for degradation of service, particularly during BH. A placemarker for visibility purposes, essentially.
Back to top
View user's profile
Mark-OLoughlin
Senior Itiler


Joined: Oct 12, 2007
Posts: 306
Location: Ireland

PostPosted: Fri Jan 18, 2008 6:53 pm    Post subject: Reply with quote

Hi,

At the very least you need an incident to trigger off awareness of what you are doing and when, The Service Desk need to be informed of this.

I prefer to see thiese as change requests due to the potential impact that could be caused and I have seen impact. E.g. a scan takes up all the available bandwidth and basically killed the network - that was major impact. to prevent this from happening again the scans were under change control as change control covers risk and impact assessments and incidents do not.

Also scan may have to happen duing the day which adds to the risk. Remember it is about control and making sure that you do not disrupt any services. The change process can ensure this better that incident process.
_________________
Mark O'Loughlin
ITSM / ITIL Consultant
Back to top
View user's profile
Display posts from previous:   
Post new topic   Reply to topic    ITIL Forum Index -> Change Management All times are GMT + 10 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.8 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops 2003 http://www.nukecops.com

Forums ©

 

Logos/trademarks property of respective owner. Comments property of poster. Rest 2004 Itil Community for Service Management & Foundation Certification. SV
Site source copyright (c)2003, and is Free Software under the GNU / GPL licence. All Rights Are Reserved.