Develop > Processes and Best Practices Guide > Configuration Management Workflows > Configuration Verification and Audit (process ST 3.5)

Configuration Verification and Audit (process ST 3.5)

Verification and auditing is responsible for ensuring that information in Configuration Management is accurate and that all Configuration Items (CIs) are identified and recorded in Configuration Management. The process can be conducted manually, or by using automated inventory and discovery tools.

Verification includes routine checks that are part of other processes (for example, verifying the serial number of a desktop PC when a user logs an incident). Audit is a periodic, formal check. You should verify and audit your configurations regularly to ensure proper functioning of the entire Configuration Management process, and for related IT service management processes.

The objective of verification and auditing for Configuration Management is to detect and manage all exceptions to configuration policies, processes, and procedures, including security and license use rights. The verification process ensures that configuration records are accurate and complete, and that any recorded changes are approved. Configuration audits help to maintain the integrity of the Configuration Management System (CMS).

Also included in the configuration and audit process is the periodic review of installed software against the policy for software usage to identify personal or unlicensed software or any software instances in excess of current license agreements.

Configuration Verification and Audit activities include:

  • Make sure that baselines and standards match the actual components in the IT environment
  • Verify that services and products are built and documented, according to documented requirements, standards, or contractual agreements
  • Verify that the correct and authorized versions of any CI exists and is correctly identified and described
  • Verify the physical existence of CIs (for example, in the organization, in the Definitive Media Library, or in stock)
  • Check that release documentation and configuration administration are present before making a release
  • Confirm that the current environment is as expected and documented in the CMS, and that any Change requests are resolved
  • Check that configuration modifications are implemented through authorized changes
  • Validate the existence of a SLA against each CI
  • Verify that CI specifications are compliant with defined configuration policies and baselines
  • Validate that all required documentation for each CI is available (for example, maintenance contracts, license records, or warranties)
  • Check data quality for accuracy and completeness
  • Initiate an incident for discovered unauthorized changes

The following are examples of discrepancies:

  • Unauthorized software installed
  • Unauthorized access to resources and services (for example, access rights not reflected in subscriptions)
  • Discrepancy of status or configuration details, as registered in the CMS, compared with the actual status.

Configuration Verification and Audit processes, both physical and functional, should be scheduled and a check performed to ensure that adequate processes and resources are in place. Benefits of this process include:

  • Protection of the physical configurations and the intellectual capital of the organization
  • Verification that the service provider is in control of its configurations, master copies, and licenses
  • Confidence that configuration information is accurate, controlled, and visible
  • Conformance of changes, releases, systems, and IT environments to contracted or specified requirements.
  • Accuracy and completeness of configuration records

Configuration audits should be carried out regularly, before and after a major change (or release), after a disaster, and at random intervals. Deficiencies and nonconformities should be recorded, assessed and corrective action initiated, acted on, and reported back to the relevant parties and plan for improving the service. Unauthorized and unregistered items that are discovered during the audit should be investigated and corrective action taken to address possible issues with procedures and the behavior of personnel. All exceptions are logged and reported as incidents. Details for this process can be seen in the following figure and table.

The Configuration Verification and Audit workflow is illustrated in the following figure:

Configuration Verification and Audit process

Process
ID

Procedure
or Decision

Description

Role

ST 3.5.1

Audit required?

Configuration audits should be considered before and after a major change or release.

Configuration Auditor

ST 3.5.2

Conduct CI audit

Configuration audits (manual or automated) are scheduled periodically. The audit verifies each individual CI. It uses an automated inventory tool that scans the system. Another method is to scan the IT environment and discover the component connected to the enterprise. New components may be discovered, requiring management in the CMS.

Configuration Auditor

ST 3.5.3

Reconcile and verify data

Collected data from the audit must be reconciled and compared with the data already stored in the CMS. Different reconciliation keys and rules can be applied to match the discovered item with the CI in the CMS.

Configuration Auditor

ST 3.5.4

Unregistered component detected?

An unregistered component may be detected in cases where the item cannot be matched and found in the CMS. If an unregistered component is detected, go to ST 3.5.5. If not, continue with ST 3.5.8.

Configuration Auditor

ST 3.5.5

Component needs to be managed?

Determine whether the new component needs to be registered in the CMS, based on the scope of the CMS. If yes, continue with ST 3.5.6. If no, go to ST 3.5.13.

Configuration Auditor

ST 3.5.6

Determine CI type

The CI type is selected, based on the properties of the discovered component (for example, model name or type of device).

Configuration Auditor

ST 3.5.7

Register new CI

Create a new CI. Enter the additional attributes of the CI, based on the audit data. Go to ST 3.5.13.

Configuration Auditor

ST 3.5.8

Component missing?

If a component cannot be discovered during an audit, it may be lost or stolen (for example, the CI has not been connected to the network for some period of time). The audit status is updated to Lost. If yes, continue with ST 3.5.13. If no, continue with ST 3.5.9.

Configuration Auditor

ST 3.5.9

Discrepancy found?

Based upon the comparison between the CMS administration and the actual data from the audit, one or more discrepancies may be detected. If yes, continue with ST 3.5.10. If not, continue with ST 3.5.15.

Configuration Auditor

ST 3.5.10

Investigate discrepancy

The mismatch between the CMS administration and the actual configuration is investigated in more detail. For each discrepancy, attribute differences and relationships are investigated.

Configuration Auditor

ST 3.5.11

Update CI allowed?

To reduce the number of manual activities, some fields are populated by discovery and auditing tools. These attributes will not be maintained manually. Determine whether the differences can be updated directly without a formal change procedure. If yes, continue with ST 3.6.12. If no, go to ST 3.5.13.

Configuration Auditor

ST 3.5.12

Update CI details

The configuration details are updated, based on the audit date to ensure that the administration is correctly reflecting the actual situation.

Configuration Auditor

ST 3.5.13

Unauthorized change and/or needs investigation?

Determine whether the mismatch between the audit and the CMS administration requires further investigation (for example, detection of unauthorized software). If yes, go to ST 3.5.14. If no, continue with ST 3.5.15.

Configuration Auditor

ST 3.5.14

Determine corrective
action

Document the discrepancy and determine the appropriate actions (for example, additional investigation is needed). An incident must be created and assigned to the person responsible for executing the actions. Follow SO 2.1.11 to create a new incident.

Configuration Auditor

ST 3.5.15

Update audit log

The CI is updated with the audit status and last audit date.

Configuration Auditor