This guide gives a brief overview of Network Configuration Management, otherwise known as Network Change and Configuration Management, or NCCM.

Why does it matter?

In a large corporate network it is not uncommon to have hundreds or thousands of network devices. If you add up all your switches, routers, firewalls and other network appliances, and then you consider how many lines of configuration settings apply to each one, you can see there is a significant investment in your networks’ configuration which needs to be protected.

Contemporary network devices will not only switch and route data, but will vlan, prioritize and shape multi-media traffic in converged networks. The settings and parameters that determine how traffic is handled all forms part of the configuration of the device, and of course, it is vital that all interoperating devices are configured consistently in order to deliver a healthy and reliable network infrastructure.

Of course, the security of your network is dependent on the way your devices are configured. Corporate Governance policies all include Data Security considerations, such as Sarbanes Oxley (SOX), GLBA, NERC, PCI DSS, HIPAA, MiFID, SAS 70, ISO 27000, CoCo/GCSx Code of Connection and Basel II. These security standards have all been introduced to ensure certain minimum levels of security and integrity are maintained for company financial information and any stored personal details of customers. Your network is inherently vulnerable while default settings are used and it is vital that all known vulnerabilities are eliminated through

Therefore configuration settings for your network need to be backed up, verified for compliance with any corporate governance policy or security standard, and consistency of configs maintained across the estate.

Unapproved changes are the biggest threat to IT Service Delivery and the single most likely cause of failures in IT infrastructures. Any changes that occur outside of established tracking and approval processes are classed as Unapproved Changes and, by definition, are undocumented. No audit trail of a change being made means there is no foothold to start from when troubleshooting a problem. In fact EMA primary research has indicated that greater than 60% of all environment failures would be eliminated if unapproved changes were identified before affecting IT performance.

Unapproved changes are introduced from a variety of sources including security violations, inappropriate user activity, and administrator errors. Even a seemingly benign alteration can have far-reaching unintended consequences to IT security, performance and reliability. Over time, system configurations deviate further and further away from established standards. This is referred to as “configuration drift”, and the greater the drift, the greater the risk posed to the reliability of an IT support stack.

The Network Change and Configuration Management Solution

A practical solution to address these requirements is to automate config backups and change tracking, which has given rise to the Network Change and Configuration Management, or NCCM, market.

Change and Configuration Management (CCM) is the process for minimizing configuration drift by ensuring all environment settings are approved and consistent with established standards. CCM is composed of three distinct practices: configuration management which is the creation, documentation and updating of standard settings for all supported IT components; change management which is the process for identifying and approving new configuration settings and updates; and change detection which is an ongoing process of monitoring for inappropriate changes. Achieving compliance objectives for ensuring IT infrastructure reliability requires automated solutions that address all three CCM disciplines.

How does it work?

To date, the development of network device hardware has taken place at a much faster rate than the equivalent development of network management or network configuration management software. In some respects it is understandable – Network Devices didn’t need managing or configuring originally as they were black boxes that either passed data or not. It was only with the advent of shared network infrastructures such as Ethernet that the configuration of addresses and protocols became necessary and some consideration made of the network topology to cater for traffic flows and volumes.

Simple Network Management Protocol (SNMP) came to the fore as a technology to address the need for performance, security and accounting statistics from the network, and at the same time, provide a means of changing the configuration of a network too.

As a standard however, anyone who has used SNMP will know that it is anything but consistent in all but the most basic statistics. It is common to find that the manufacturers’ ‘Management Information Database’ or MIB will purport to support certain performance metrics, only to find that different devices from the same manufacturer do not consistently report information via the MIB.

It is a similar story when using SNMP to gather or update configuration data – your version of Cisco Works may work well at backing up your 2950 switch configs but when you next upgrade to 3750 switches, you may quickly find out that Cisco Works suddenly needs an upgrade (at your expense, of course – ‘What do you mean, you pay annual maintenance? That is only to maintain your software, not to actually make it keep pace with product range developments!’)

Fortunately there are other, more ‘open’ ways to gather configuration settings from network devices – using TFTP in conjunction with scripted Telnet or SSH Telnet interactions is a consistent and more easily maintained approach that can be applied to all manufacturers and all devices.

All the above change and configuration management tasks can be automated using network change and configuration management (NCCM) software solutions, the best of which will cover desktop PCs together with change and configuration management of your servers and all network devices such as firewalls, switches and routers.

Article Source:

http://EzineArticles.com/?expert=Mark_Kedgley

Managers who claim that their organizations comply with ISO/IEC 27001:2005 but that they see no need to go through the bureaucracy of getting the ‘badge on the wall’ are only deceiving themselves. The reality, I suspect, is that the vast majority of organizations that won’t submit their Information Security Management Systems (ISMS) to an external audit against ISO 27001, fear that, when it comes to the push, their systems would fail the test.

Survey after survey tells a depressingly familiar information insecurity story. Most recently, the 10th annual CSI/FBI survey revealed that, amongst the security-conscious, information security control-focused members of the CSI, computer crime continued to have a significant financial impact. The average incident last year cost $204,000, and the top two security breaches were through virus attacks and unauthorized access – both of which are comprehensively controlled through the controls and management systems mandated by ISO 27001.

ISO27001 Effectively Manages Data Security

This evidence, combined with the findings of a recent survey carried out amongst UK-based organizations that ISO27001, suggests – somewhat contradictorily – that securing information is rarely the primary driver for achieving certification. The top reason was commercial advantage, summed up by one respondent who said that a certificate ‘gives customers confidence that our data security is well managed and certified by an independent source.’

And it’s that certification ‘by an independent source’ which is the real benefit of pursuing ISO 27001 in the first place. US regulators implicitly recognized the importance of external validation for information security effectiveness when they observed that: ‘the best way to strengthen US information security is to treat it as a corporate governance issue that requires the attention of boards and CEOs.’

Achieve High Security Standards through ISO 27001

There are sectors in which the ‘badge on the wall’ debate is already history, and in which certification is now becoming a basic business requirement. UK cheque printers, for instance, are required to comply with a sectoral version of ISO27001 and suppliers to the NHS are expected to be on track for certification (there is now a health sector version of ISO17799) – even if the NHS itself still has some way to go. Business Process Outsourcing companies are finding it much simpler to provide a copy of their ISO 27001 certificate in their tender documentation than to answer detailed information security questionnaires.

Some of this might be expected: BS7799 was, after all, a British Standard, and the UK government’s Cabinet Office has, for several years now, driven take-up across the UK public sector. And as more and more local authorities and public-sector organizations become certified, so the pressure for their private-sector suppliers to achieve the standard will increase – and today’s early adopters are clearly stealing a march on their competitors.

Achieve Your Certificate in ISO 27001

Internationalised as http://www.27001.com“>ISO 27001, information security certification can also be a short cut to best-practice compliance with a wide range of data compliance and regulatory requirements, ranging from Data Protection Acts across the EU, privacy and breach legislation across the OECD, and specific legislation such as GLBA, HIPAA and Sarbanes Oxley. Determined outsourced suppliers are increasingly insisting that their certificate be taken into account when preparing for and costing their annual SAS 70 audit, with consequently substantial reductions in both the cost of, and disruption caused by, the audit.

Are organizations beginning to recognize that, in fact, it is the badge on the wall that counts? Yes, as evidenced by the increasing number of badges. It took about seven years (to December 1994) for the first 1,000 certificates to be achieved, but less than two and half years later there are more than 3,500 successes. And certification has a ripple effect: every organization that achieves ISO 27001 will expect its key suppliers to meet the standard. And this means that anyone who thinks the badge doesn’t count will have nowhere to hide when the CEO comes asking why your competitors have stolen your lunch.

Article Source:

http://EzineArticles.com/?expert=Alan_Calder

As information technology increasingly falls within the scope of corporate governance, so management must increasingly focus on the management of risk to the achievement of its business objectives.

There are two fundamental components of effective management of risk in information and information technology: the first relates to an organization’s strategic deployment of information technology in order to achieve its corporate goals, the second relates to risks to those assets themselves. IT systems usually represent significant investments of financial and executive resources. The way in which they are planned, managed and measured should therefore be a key management accountability, as should the way in which risks associated with information assets themselves are managed.

Clearly, well managed information technology is a business enabler. Every deployment of information technology brings with it immediate risks to the organization and, therefore, every director or executive who deploys, or manager who makes any use of, information technology needs to understand these risks and the steps that should be taken to counter them.

ITIL has long provided an extensive collection of best practice IT management processes and guidance. In spite of an extensive range of practitioner-orientated certified qualifications, it is not possible for any organization to prove – to its management, let alone an external third party – that it has taken the risk-reduction step of implementing best practice.

More than that, ITIL is particularly weak where information security management is concerned – the ITIL book on information security really does no more than refer to a now very out-of-date version of ISO 17799, the information security code of practice.

The emergence of the international IT Service Management ISO 27001 and Information Security Management (ISO20000) standards changes all this. They make it possible for organizations that have successfully implemented an ITIL environment to be externally certificated as having information security and IT service management processes that meet an international standard; organizations that demonstrate – to customers and potential customers – the quality and security of their IT services and information security processes achieve significant competitive advantages.

Information Security Risk

The value of an independent information security standard may be more immediately obvious to the ITIL practitioner than an IT service management one. The proliferation of increasingly complex, sophisticated and global threats to information security, in combination with the compliance requirements of a flood of computer- and privacy-related regulation around the world, is driving organizations to take a more strategic view of information security. It has become clear that hardware-, software- or vendor-driven solutions to individual information security challenges are, on their own, dangerously inadequate. ISO/IEC 27001 (what was BS7799) helps organizations make the step to sytematically managing and controlling risk to their information assets.

IT Process Risk

IT must be managed systematically to support the organization in achieving its business objectives, or it will disrupt business processes and undermine business activity. IT management, of course, has its own processes – and many of these processes are common across organizations of all sizes and in many sectors. Processes deployed to manage the IT organization itself need both to be effective and to ensure that the IT organization delivers against business needs. IT service management is a concept that embraces the notion that the IT organization (known, in ISO/IEC 20000 as in ITIL, as the “service provider”) exists to deliver services to business users, in line with business needs, and to ensure the most cost-effective use of IT assets within that overall context. ITIL, the IT Infrastructure Library, emerged as a collection of best practices that could be used in various organizations. ISO/IEC 20000, the IT service management standard, provides a best-practice specification that sits on top of the ITIL.

Regulatory and Compliance Risk

All organizations are subject to a range of information-related national and international legislation and regulatory requirements. These range from broad corporate governance guidelines to the detailed requirements of specific regulations. UK organizations are subject to some, or all, of:

* Combined Code and Turnbull Guidance (UK)

* Basel2

* EU data protection, privacy regimes

* Sectoral regulation: FSA (1) , MiFID (2) , AML (3)

* Human Rights Act, Regulatation of Investigatory Powers Act

* Computer misuse regulation

Those organizations with US operations may also be subject to US regulations such as Sarbanes Oxley and SEC regulations, as well as sectoral regulation such as GLBA (4), HIPAA (5) and USA PATRIOT Act. Most organizations are possibly also subject to US state laws that appear to have wider applicability, including SB 1386 (California Information Practice Act) and OPPA (6) . Compliance depends as much on information security as on IT processes and services.

Many of these regulations have emerged only recently and most have not yet been adequately tested in the courts. There has been no co-ordinated national or international effort to ensure that many of these regulations – particularly those around personal privacy and data protection – are effectively co-ordinated. As a result, there are overlaps and conflicts between many of these regulations and, while this is of little importance to organizations trading exclusively within one jurisdiction, the reality is that many enterprises today are trading on an international basis, particularly if they have a website or are connected to the Internet.

Management Systems

A management system is a formal, organized approach used by an organization to manage one or more components of their business, including quality, the environment and occupational health and safety, information security and IT service management. Most organizations – particularly younger, less mature ones, have some form of management system in place, even if they’re not aware of it. More developed organizations use formal management systems which they have certified by a third party for conformance to a management system standard. Organizations that use formal management systems today include corporations, medium- and small-sized businesses, government agencies, and non-governmental organizations (NGOs).

Standards and Certifications

Formal standards provide a specification against which aspects of an organization’s management sytsem can be independently audited by an accredited certification body and, if the management system is found to conform to the specification, the organization can be issued with a formal certificate confirming this. Organizations that are certificated to ISO 9000 will already be familiar with the certification process.

Integrated Management Systems

Organizations can choose to certify their management systems to more than one standard. This enables them to integrate the processes that are common – management review, corrective and preventative action, control of documents and records, and internal quality audits – to each of the standards in which they are interested. There is already an alignment of clauses in ISO 9000, ISO 14001 (the environmental management system standard) and OHSAS 18001 (the health and safety management standard) that supports this integration, and which enables organizations to benefit from lower cost initial audits, fewer surveillance visits and which, most importantly, allows organizations to ‘join up’ their management systems.

The emergence of these international standards now enables organizations to develop an integrated IT management system that is capable of multiple certification and of external, third party audit, while drawing simultaneously on the deeper best-practice contained in ITIL. This is a huge step forward for the ITIL world.

Sources:

(1)Financial Services Authority

(2)Markets in Financial Instruments Directive

(3)Anti-money laundering regulations

(4)Gramm-Leach-Bliley Act

(5)Health Insurance Portability and Accountability Act

(6)Online Personal Privacy Act

Article Source:

http://EzineArticles.com/?expert=Alan_Calder