Change Management + Control = Higher Availability

Change Management: Practical Guidance for Managers on How to Prepare for Successful Audits

Continuous File Integrity Monitoring: A New Approach for PCI Compliance

Controlling Change: The Missing Ingredient

Enhance BMC Change Management with Closed-Loop Control

Identifying Critical Change Control Failure Points

Managing End-of-Life for Windows NT Systems

Meeting the PCI Standard

Self-Service SOX Auditing with S3 Control

Software Security - ATM Best Practices

Solidify Your Retail POS Devices

The Miracle in Detroit: Putting the ROI into ITIL

Validate and Enforce Change Process for SOX Compliance

Most unavailability today is caused by change. Most IT organizations recognize the centrality of change to their operational effectiveness. Yet a gap persists between actual change activity and the documented Change Management Process. This change control gap results in manual activity by IT departments to control and minimize the costs of change. In this paper, we explain how adding Control to existing Change Management solutions can bridge this gap and enable your IT organizations to deliver highly available IT services.

This paper, "IT Audit Checklist: Change Management," supports an internal audit of the organization's change management policies in order to verify compliance and look for opportunities to improve efficiency, effectiveness, and economy.

The IT audit checklist guide includes advice on assessing the existence and effectiveness of change management in:

• Project oversight, development, procurement, IT service testing, and IT operations;
• Guidance for management and auditors on supporting change management; and
• Ensuring continual improvement of change management efforts.

Read this paper to learn how to prepare for an audit of high-level processes and resources and provide concrete tools managers can use to ensure that the audit experience and results are as beneficial as possible to both IT leaders and the company as a whole.

According to recent, independent research -- PCI requirements 10 and 11 are among the least satisfied requirements across Level 1 merchants, with almost 40% non-compliance.  These 2 requirements mandate safe change actions; namely a file integrity monitoring system. 

When evaluating file integrity monitoring solutions, be sure to ask for a continuous file integrity monitoring solution – i.e. a technology that monitors files constantly and immediately reports detected changes as they happen.  As opposed to other solutions, a continuous file integrity monitoring solution has the following features:

• Detects all changes,
• Identifies transient violations,
• Captures rich forensic data, and
• Requires no operational trade-offs. 

Read this white paper to see why leading Qualified Security Assessors (QSAs), auditors, and other experts have endorsed this kind of technology as a preferred solution for meeting PCI and operational control requirements.

When a failure happens in the IT infrastructure, the first question which gets asked is, “What changed? It was working yesterday.” Pro-actively controlling change is a key foundation for scaleable and reliable IT infrastructure. Change can be bucketed into three distinct categories: In-Process, Emergency and Ad hoc. Each one of these categories has very different organizational drivers and characteristics.

Many IT organizations are using change management and datacenter automation solutions to automate the approval and implementation processes for change to the IT infrastructure. While this approach provides a solution for in-process change, emergency and ad hoc change are still problematic. Automated change control is the key 3rd ingredient in a complete solution. Change control complements Change Management and Datacenter automation, to maximize in-process change, capture and document all emergency change and eliminate ad hoc change.

Are you about to implement change management using BMC Remedy Service Management or BMC IT Service Management for Mid-sized Businesses (a.k.a. Magic or Service Desk Express)?  Have you already implemented one of these systems and want to maximize the return on your investment?

Get this white paper to see how others have optimized their change management implementation approach to derive the most value from their investment by adding closed-loop control, including:

• Increasing the percentage of in-process change,
• Documenting emergency change (who, how, what, when) after the fact, and
• Eliminating ad-hoc change.

All companies have IT systems whose availability and integrity are critical to the viability of their business. Read this paper to learn how to identify systems within your infrastructure as critical change control failure points by categorizing systems according to their risk level.

Categorizing systems according to business risk posed by unapproved change can help IT managers assess where additional change control measures are required, and prioritize activities to increase control on critical systems. For example, change managers can:

• Perform widely deployed changes in the reverse order of system criticality to minimize risk
• Optimize change windows for critical systems
• Proactively back up critical systems before changes are implemented

Many organizations still have a significant number of NT4 systems running everything from Enterprise Resource Planning (ERP) in the datacenter, to production controllers on the plant floor. These systems often support fragile legacy applications and do so with very limited computing resources. Changes to these systems, including operating system patches, can result in production outages and downtime that threatens business operations. Additionally, the difficult task of repairing a legacy application can further extend this downtime.

The easiest answer for managing NT4 systems is to never patch or change them. Unfortunately, this typically isn't possible given the security requirements of most enterprises today. NT4 systems that are on the network are subject to vulnerabilities and require protection. Failure to protect NT4 systems can result in downtime, lost or compromised data, penalties due to regulatory non-compliance and other costly business risks.

This white paper introduces a new approach to Windows NT Remediation, using change control, that many Fortune 2000 companies are adopting today. Change control reduces the need for planned change to the system, and when change is unavoidable, technically enforces the use of authorized process. Learn how you can protect your legacy systems from malicious as well as ad-hoc changes that can threaten their stability and availability.

Identity theft and credit card fraud is a large and growing problem. The Federal Trade Commission estimates that almost 10 million consumers were affected last year, at a cost of close to $50 billion.  In order to combat this growing menace, Visa, MasterCard, American Express, Diners Club, Discover and other major credit card providers joined together to introduce the Payment Card Industry (PCI) Data Security Standard. This program is intended to protect cardholder data wherever it resides, ensuring that members,merchants and service providers maintain the highest levels of information security.

This white paper describes the PCI Data Security Standard and provides an explanation of how change control can be leveraged to comply with its requirements at a greatly reduced cost.

The Sarbanes-Oxley Act (SOX), passed by the US Congress in 2002, represents a fundamental shift in corporate governance norms. As corporations come to terms with the implications of SOX to their businesses, one thing is clear: a SOX compliance program is not a one-time project but a sustained effort to gain visibility and accountability into business processes that affect the accuracy of financial reporting. Most IT controls are manual, error-prone and resource intensive. This paper lays out the problem and suggests a radical solution: build a self-service, automated IT control framework in which all the information required to verify compliance is available in a single reporting system, at the click of a button. Solidcore S3 Control has helped a large number of customers do just that, and we explain how we helped them do it.

Bad news travels fast. Almost three years ago, the media picked up on two or three incidents where best practice ATM software security measures were not followed. This media attention focused on the risks to ATM security and the industry became nervous.

Much of this media 'hype' has now passed and there have been no further bad news stories. The risk profile of an ATM is now much better understood. Crucially, an ATM is not a PC, and is therefore not subject to risks associated with email or being on a shared drive, for example.

NCR has always worked to secure the software environment so that none of the bad news stories mentioned above could happen. NCR continues the work in today's Windows environment with APTRA security.

Contents

• Software security is not new
• The real problem is unauthorized code
• Internal threats
• Regulatory compliance
• Ideal requirements for ATM software security
• Solidcore for APTRA - tailored security and compliance for the ATM environment
• A securely managed ATM in an Active Directory environment

Also available as a webinar

The retail industry includes point of sale and point of service devices such as POS checkout terminals, self check units, cash drawers, information, web kiosks, PCs and back office
servers. The shift towards standard operating systems and increased network connecivity has given flexibility to the industry, but at the cost of 'control challenges'. Retail devices typically flow through a multi-party distribution channel from
the device manufacturer, to the system integrator or dealer, and finally get deployed at the retail site. Owing to the existence of multiple parties involved in the distribution channel, it often becomes difficult to control the state and
availability of the retail device when in production. This white paper summarizes the business level and operational challenges faced by the retail devices industry, and presents Solidcore's solution for improving availability, reducing support costs, and lowering TCO of retail devices.

Every IT manager intuitively understands the difficulty of achieving, and as importantly, demonstrating, a return on investments into technology projects. We all know the drill – delays, changing requirements, changing environments, all leading to challenges in meeting the stated goals of the project. This issue is particularly acute for large, multi-phase deployments such as an ITIL implementation.

The IT department has become the central artery of a large number of organizations. This central artery increasingly finds itself in a predicament – increasing dependence on its services with decreasing budget is putting an enormous strain on the organizations. The annual cost in terms of downtime, compliance costs, and organizational inefficiency is high.

The IT Infrastructure Library (ITIL) offers a solution. But a first look at ITIL can be challenging for IT managers: A massive high cost project which is hard to sell to management and promises returns many years in the future and only after significant investment. If you can pick concrete milestones and, for each milestone, demonstrate and measure the value provided to the organization, much of this risk would be mitigated.

What can you pick as a first milestone in an ITIL project which will make others say: “Wow, yes this is the right way to go?” What can you do to get management to buy into your vision? Read on.

Assuring SOX compliance is an on-going process and surviving an audit can be a daunting task.  But you can verify compliance in a single reporting system if you enhance your existing change management system. 

Read this white paper to learn how Solidcore S3 Control enhances change management solutions to help you address the following questions asked by SOX auditors:

• Are all the changes going through the change management process or emergency change process?
• What percentage of changes are going through the emergency change process?
• How do you monitor changes to make sure that the change process is followed?
• How do you track privileged user activity on databases containing financial information?

S3 Control monitors all changes on databases, servers and network devices that aid the automation of SOX compliance requirements.  The solution captures the 5 W’s (who, what, when, where and how) of the change and then matches those changes against the change tickets. With accurate reconciliation algorithms, S3 Control produces reports answering the above questions for the auditors. This helps validate your company's SOX compliance posture quickly and easily.