Configuration Verification and Audit (process ST 3.5)

Search for	Example	Results
A single word	`cat`	Topics that contain the word "cat". You will also find its grammatical variations, such as "cats".
A phrase. You can specify that the search results contain a specific phrase.	`"cat food"` (quotation marks)	Topics that contain the literal phrase "cat food" and all its grammatical variations. Without the quotation marks, the query is equivalent to specifying an OR operator, which finds topics with one of the individual words instead of the phrase.

Search for	Operator	Example
Two or more words in the same topic	`AND` `and` `+` (plus symbol) `&` (ampersand)	`cat AND dog` `"cat food"+milk` `"cat food"&"dog food"`
Either word in a topic	`OR` `or` `\|` (pipe)	`cat OR dog` `cat \| dog`
Topics that do not contain a specific word or phrase	`NOT` `not` `!` (exclamation point)	`NOT cat` `! dog`
Topics that contain one string and do not contain another	`^` (caret)	`cat ^ mouse`
A combination of search types	`( )` parentheses	`cat + (dog \| mouse)` `cat \| dog + (! mouse)`

Verification and auditing is responsible for ensuring that information in Configuration Management is accurate and that all Configuration Items (CIs) are identified and recorded in Configuration Management. The process can be conducted manually, or by using automated inventory and discovery tools.

Verification includes routine checks that are part of other processes (for example, verifying the serial number of a desktop PC when a user logs an incident). Audit is a periodic, formal check. You should verify and audit your configurations regularly to ensure proper functioning of the entire Configuration Management process, and for related IT service management processes.

The objective of verification and auditing for Configuration Management is to detect and manage all exceptions to configuration policies, processes, and procedures, including security and license use rights. The verification process ensures that configuration records are accurate and complete, and that any recorded changes are approved. Configuration audits help to maintain the integrity of the Configuration Management System (CMS).

Also included in the configuration and audit process is the periodic review of installed software against the policy for software usage to identify personal or unlicensed software or any software instances in excess of current license agreements.

Configuration Verification and Audit activities include:

Make sure that baselines and standards match the actual components in the IT environment

Verify that services and products are built and documented, according to documented requirements, standards, or contractual agreements

Verify that the correct and authorized versions of any CI exists and is correctly identified and described

Verify the physical existence of CIs (for example, in the organization, in the Definitive Media Library, or in stock)

Check that release documentation and configuration administration are present before making a release

Confirm that the current environment is as expected and documented in the CMS, and that any Change requests are resolved

Check that configuration modifications are implemented through authorized changes

Validate the existence of a SLA against each CI

Verify that CI specifications are compliant with defined configuration policies and baselines

Validate that all required documentation for each CI is available (for example, maintenance contracts, license records, or warranties)

Check data quality for accuracy and completeness

Initiate an incident for discovered unauthorized changes

The following are examples of discrepancies:

Unauthorized software installed

Unauthorized access to resources and services (for example, access rights not reflected in subscriptions)

Discrepancy of status or configuration details, as registered in the CMS, compared with the actual status.

Configuration Verification and Audit processes, both physical and functional, should be scheduled and a check performed to ensure that adequate processes and resources are in place. Benefits of this process include:

Protection of the physical configurations and the intellectual capital of the organization

Verification that the service provider is in control of its configurations, master copies, and licenses

Confidence that configuration information is accurate, controlled, and visible

Conformance of changes, releases, systems, and IT environments to contracted or specified requirements.

Accuracy and completeness of configuration records

Configuration audits should be carried out regularly, before and after a major change (or release), after a disaster, and at random intervals. Deficiencies and nonconformities should be recorded, assessed and corrective action initiated, acted on, and reported back to the relevant parties and plan for improving the service. Unauthorized and unregistered items that are discovered during the audit should be investigated and corrective action taken to address possible issues with procedures and the behavior of personnel. All exceptions are logged and reported as incidents. Details for this process can be seen in the following figure and table.

The Configuration Verification and Audit workflow is illustrated in the following figure:

Configuration Verification and Audit process
Process ID	Procedure or Decision	Description	Role
ST 3.5.1	Audit required?	Configuration audits should be considered before and after a major change or release.	Configuration Auditor
ST 3.5.2	Conduct CI audit	Configuration audits (manual or automated) are scheduled periodically. The audit verifies each individual CI. It uses an automated inventory tool that scans the system. Another method is to scan the IT environment and discover the component connected to the enterprise. New components may be discovered, requiring management in the CMS.	Configuration Auditor
ST 3.5.3	Reconcile and verify data	Collected data from the audit must be reconciled and compared with the data already stored in the CMS. Different reconciliation keys and rules can be applied to match the discovered item with the CI in the CMS.	Configuration Auditor
ST 3.5.4	Unregistered component detected?	An unregistered component may be detected in cases where the item cannot be matched and found in the CMS. If an unregistered component is detected, go to ST 3.5.5. If not, continue with ST 3.5.8.	Configuration Auditor
ST 3.5.5	Component needs to be managed?	Determine whether the new component needs to be registered in the CMS, based on the scope of the CMS. If yes, continue with ST 3.5.6. If no, go to ST 3.5.13.	Configuration Auditor
ST 3.5.6	Determine CI type	The CI type is selected, based on the properties of the discovered component (for example, model name or type of device).	Configuration Auditor
ST 3.5.7	Register new CI	Create a new CI. Enter the additional attributes of the CI, based on the audit data. Go to ST 3.5.13.	Configuration Auditor
ST 3.5.8	Component missing?	If a component cannot be discovered during an audit, it may be lost or stolen (for example, the CI has not been connected to the network for some period of time). The audit status is updated to Lost. If yes, continue with ST 3.5.13. If no, continue with ST 3.5.9.	Configuration Auditor
ST 3.5.9	Discrepancy found?	Based upon the comparison between the CMS administration and the actual data from the audit, one or more discrepancies may be detected. If yes, continue with ST 3.5.10. If not, continue with ST 3.5.15.	Configuration Auditor
ST 3.5.10	Investigate discrepancy	The mismatch between the CMS administration and the actual configuration is investigated in more detail. For each discrepancy, attribute differences and relationships are investigated.	Configuration Auditor
ST 3.5.11	Update CI allowed?	To reduce the number of manual activities, some fields are populated by discovery and auditing tools. These attributes will not be maintained manually. Determine whether the differences can be updated directly without a formal change procedure. If yes, continue with ST 3.6.12. If no, go to ST 3.5.13.	Configuration Auditor
ST 3.5.12	Update CI details	The configuration details are updated, based on the audit date to ensure that the administration is correctly reflecting the actual situation.	Configuration Auditor
ST 3.5.13	Unauthorized change and/or needs investigation?	Determine whether the mismatch between the audit and the CMS administration requires further investigation (for example, detection of unauthorized software). If yes, go to ST 3.5.14. If no, continue with ST 3.5.15.	Configuration Auditor
ST 3.5.14	Determine corrective action	Document the discrepancy and determine the appropriate actions (for example, additional investigation is needed). An incident must be created and assigned to the person responsible for executing the actions. Follow SO 2.1.11 to create a new incident.	Configuration Auditor
ST 3.5.15	Update audit log	The CI is updated with the audit status and last audit date.	Configuration Auditor

Connect

Micro Focus Marketplace

ITSM Blog for IT Service Management

ITSM Community

Documentation Forum

Learn

Software Support Online

Software Support Downloads

Software Education Services

Contact

Send Help Center feedback

Submit Service Request

View Service Requests