Posted: Tue Jul 24, 2007 2:00 am Post subject: How to audit the configuratin management
I have to conduct an Inventory System Audit. I have no specific knowledge in this field, so I started looking for best practices and frameworks and got to ITIL.
The configuration management described seems to be what I need to look for (issues, concepts...), but in a much more complex way. See, I work for a company, more or less like a bank. We are just implementing a TI Audit team and we really have no support whatsoever to conduct our activities (the department has just been created by legal issues, not because the directors have actually saw something good coming from it).
We were assigned to run a Inventory System Audit, and there is no way my company could implement a completed CMDB, at least for now, so looking for that would be a waste of time.
I need your help to clarify what points or items should I look for? Which ones are essential? Let´s say, to have a minimum, basic, simple, but yet somehow connected to ITIL, Inventory System.
PS: Our main concern is not the commercial softwares, like OS´s, but the systems developed specific for our needs, programmed here by our IT Department or Third part employees.
Joined: Sep 16, 2006 Posts: 3437 Location: London, UK
Posted: Tue Jul 24, 2007 8:44 pm Post subject:
What is the purpose of the Audit ?
If it is to comply with legal issues, then you need to be concerned about the following
O/S & Applications
and the licenses for such
If you have 200 PCs w/XP, 2k, Vista etc do you have 200 seat license or 200 individual licenses for the O/S.
If you have Servers, same thing for the O/S, same thing for exchange, sql, etc etc as for licenses for the s/w and seat licenses for the users
For the development side, do you have the license(s) for the 'distributable' packages of the applications that were built for you. Did the 3rd party have them...etc etc.
The inventory can be done in several parallel steps.
1 - using your monitoring tools, determine the # of kit that is being monitored
2 - using your system mgmt/control tools - Active Directory - determine the # of users and the identified PCs, Laptops, Printers that exist in the AD database. You may also get application data - depending on what is installed for system mgmt
3 - With #1 data, go find the kit and identify the physical device that is associated with the virtual/logical device
4 - with #2 data, go around the office(s) and do the same thing
Then compare 1 & 3 and 2 & 4 - find the matching data and the unmatched data.
Repeat until satisfied.
In addition, your company may have to write policies concerning use of personall software, management of existing software.
While ITIL has some of this, this task is basically the following
Go to site. Touch device. mark it ans inventory.Move to next device
Same would apply to any application developed for internal use.
Congratulations..... you have been thrown into the deep end _________________ John Hardesty
ITSM Manager's Certificate (Red Badge)
Change Management is POWER & CONTROL. /....evil laughter
Joined: Jan 01, 2006 Posts: 500 Location: New Jersey
Posted: Fri Jul 27, 2007 5:28 am Post subject: Re: How to audit the configuratin management
"Audit" is all about transparency of data/information/knowledge.
In order to get the data you need, you have to have highly repeatable processes in place.
The first step you will have to address is the inventory of each data type your auditing group cares about...
What this means is that "somewhere" you should have a complete, and constantly "kept up to date" inventory of each and every one of those line items. The inventory, itself, ensures one place for a true source of data. The auditors will always want proof of this. How you keep the inventory up to date will be the processes that control the "lifecycle" of any instance of any data type, above. It's the processes that ultimately drive measurement, effectiveness and optimization.
For audit, the first thing to prove is that your inventory is solid.
The second thing to prove is that all people know where to go to see, update, and manage the definitive inventory.
The third thing is to show proof of repeatability for how those inventories are managed.
The fourth is to prove that there are repeatable and controlled processes for how you modify the items within the inventories. Remember, as a record of any single item moves through its lifecycle, it gets modified and you'll need to keep history of modifications.
And, finally, when you're very mature, you will also be able to show relationships between any and all entities, as well as proof of process that defines how you manage and modify the relationships, too.
Recently I discovered that my company developed a IT Management Plan, and for that, and exclusively for that document, it has been elaborated a Inventory of Software and Hardware.
I´ve discovered that the things is rather simple. There is no process involved, no standard, no responsabilities, no ... nothing. It has been done once and only God knows when is going to be updated...
My job now has changed to do some recomendations about "good practices" to be implemented.
Your advices will help me greatly in that.
Joined: Jan 01, 2006 Posts: 500 Location: New Jersey
Posted: Mon Aug 27, 2007 9:56 pm Post subject:
You say that it has been "elaborated an Inventory of Software and Hardware". If this is the case, you're looking at basic Asset Management and not Configuration Management, at all. I can't tell you how many enterprises and people I deal with, in IT, that still don't understand the difference between the two.
The reality is that there are many different types of configurations you will need to inventory and manage and they are associated with almost all of your asset types. For example:
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum