Is there a silver bullet for making policy and risk compliance easier? While there is no single solution which will manage compliance end-to-end, the answer may surprise you. But first a little background.
Risk Management is fundamental to maintain a successful enterprise. The purpose of Risk Management is to identify uncertainties, hazards, exposures, liabilities and other risks which may cause harm to the organization, forecast the potential impact and then implement measures designed to reduce these affects. Considering IT operations is vital to business continuity, it should be no surprise that Risk Management is a central tenant of IT governance.
One of the tools used to manage risk is the Risk Policy. In IT, the risk policy is a top-level document which specifies what standards the organization will observe in order to safeguard the confidentiality, integrity and availability of its IT systems and data. The Risk Policy will often include additional sections addressing security and any obligations to industry and regulatory mandates like Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA) and similar.
It's important to observe that policy standards define what safeguards will be required but not how a standard will be implemented. For example, the PCI DSS policy has a standard which states that the organization will "install and maintain a firewall configuration to protect cardholder data”. However, it does not specify what type of firewall to use. It does not specify what firewall rules to deploy. It does not even specify what it means to maintain the firewall. Which leads us to our discussion on controls.
Policies are operationalized by implementing controls which support policy standards. There are two primary types of controls: technical and procedural. Procedural controls are "managerial” or "operational” in nature. They define how people are to perform a task or job function. For example an IT manager will retain a full system backup for seven years. On the other hand, technical control are directly implemented on IT systems using supported configuration options. For example, a server shall be configured to require a logon password. Once technical controls are in place, the challenge becomes to keep them in place. This leads us to the topic of compliance.
Policy compliance seeks to verify that all controls, as defined by policy, are: 1) implemented and 2) remain operational as implemented. As such, policy compliance can be thought of as a "continuous process” – one of implementation, monitoring and verification. While it's common to think that compliance is something an auditor does, in reality IT operations is responsible. An auditor only provides independent verification that policy objectives are being met.
As mentioned earlier, technical controls are implemented as configuration options. And more specifically, network controls are implemented as configuration options in network routers, switches and similar devices. So the big reveal here is that perhaps the best risk and policy management tool in your toolbox is your Network Configuration and Change Management (NCCM) software. By definition, NCCM software manages configuration changes and protects configurations and devices from unwanted changes.
Since the network forms the core foundation for IT services, and the quality of network service is defined by the configuration of its constituent routers, switches, controllers, access control devices and more, then it makes sense to carefully manage and monitor these configurations. This is why NCCM plays such a critical role in IT operations and risk management.
So just how does NCCM accomplish all of this? Here is a quick overview.
Device access – Perhaps the first place to start is by removing ad-hoc access to devices. An NCCM will help you eliminate ad-hoc (un-authorized) device access and require configuration changes to be made using the NCCM management console.
Change control – By requiring all configuration changes to be made using the NCCM console, you are able to assign administrative privileges and implement a formal change review and approval process. This eliminates unplanned and unauthorized actions and maintains a history of all changes made.
Configuration templates – An NCCM will allow you to create a standardized script or change template for making reoccurring changes. This ensures that changes will be uniformly made as approved. Configuration change templates are device and vendor-neutral. They provide an automated way to mass-deploy new services, or quickly remediate a policy violation or security vulnerability across the network.
Job scheduling – Want to control when changes are made? An NCCM provides job scheduling to execute changes during maintenance windows.
Backup and recovery – Hardware failure and human error can break your network. Recover from these disasters quickly. An NCCM will schedule, back up, find, and restore device configurations.
Change detection and analysis – You've spent time and effort getting your configs to a baseline. How do you know when something changes? What if a change is made to the running config but not saved to the startup? An NCCM will monitor device configurations and notify you when any change is made. You can even compare two configs side-by-side and see what statements were added or removed.
Audit Policies – Want to help ensure your do configs contain (or don't contain) specific configuration statements? An NCCM policy can be used to identify what is expected (or forbidden) in a configuration. Policies are useful to verify compliance with internal policies as well as DSS PCI, HIPAA, SOX, DISA STIG and other industry mandated policies.
Remediation – An NCCM will allow you to correct violations fast with remediation scripts (defined as part of the policy).
Change management, monitoring, and auditing are three ways an NCCM helps you manage and protect your network configurations as well as manage IT risk.
In March 2016, SC Magazine awarded SolarWinds Network Configuration Manager (NCM) with the "Best Policy/Risk Management Solution” for the fourth straight year. SolarWinds NCM won't manage every aspect of your risk policy. However, using a single tool, you can not only manage your network configurations, but also manage many of the procedural and technical controls for your network.
To learn about the SC Magazine 2016 awards and other category winners, read this article. To learn more about Network Configuration Manager, visit the NCM product page. To learn how to write a NCM policy, read this thwack® blog post.