Preparing to assess change management controls
As we covered in Chapter 5, Financial Resource and Change Management Controls, obtaining a thorough understanding of where logging and history can be found for changes performed is critical to determining which areas within a cloud environment should be scoped for audit. Chapter 5, Financial Resource and Change Management Controls, was where we learned about the use of enabling policies, labels, and tags to control the management of resources.
Change management is a systematic approach to managing changes. The primary objective of the change management process is to facilitate changes to the cloud while minimizing risks to cloud environments.
Cloud environments are designed for agility. In addition, cloud environments facilitate the use of a variety of automation, integration, and deployment tools that allow an organization to make rapid changes. Therefore, in a cloud environment, the visibility of changes is the main control for managing changes. In the cloud, organizations should leverage automation to manage changes. By using automation, many of the manual approval steps can be fully automated with a higher degree of confidence.
Change management performed in the cloud introduces additional benefits in comparison to traditional change management processes. The cloud allows for ease of deployment with built-in automation and deployment tools removing manual processes associated with the planning and implementation of traditional changes. In a traditional change management process, manual rollbacks would have to be performed in case of any issues with the changes. However, in the cloud, due to automation, the risk is minimized as most cloud services allow for instant rollbacks in case of any issues.
Tools utilized for change management in the cloud provide workflows and pre-approved change tasks that can reduce the delay in the approval process while retaining flexibility in the change process. Lastly, these change management tools can track and record all changes made in the cloud and have the ability to generate reports for tracking and reviewing trends for further action.
Cloud service providers provide various monitoring tools that are used to track changes. IT auditors should leverage these monitoring tools to gain visibility into the changes performed.
These are the key questions that IT auditors should ask with regard to the change management process:
- What is the process for requesting or approving changes?
- What is the process for moving the changes into production?
- Is there any notification when changes drift from the established baseline?
- Is there a process to roll back changes in case of security concerns?
- Is there a process to facilitate emergency changes?
It is important for the IT auditor to ensure there is adequate segregation of duties within the change management process. For example, an individual who develops a change should not be the same individual moving the change into production.
In the sections that follow, as a prerequisite, you will require a minimum level of view or read access to obtain the test evidence independently. Depending upon your specific organization’s configuration and any additional customizations, you may require additional access rights or group memberships to directly access specific content, or you may be required to work with an administrative point of contact for your organization as you observe them pulling control evidence. For reference, any screenshots in the sections that follow are based on a user with administrative privileges to the cloud environment.
Now that we have touched on a few points of preparation, let’s perform our first walk-through challenge to assess network and firewall settings within an enterprise cloud environment.