GS BUSA 497 CH 10 - Change Control Management
2. Explain the benefits for organizations of implementing a well-defined and structured change control management process.
Instituting policies, procedures, and techniques help make sure all programs and program modifications are properly authorized, tested, and approved. Such policies, procedures, and techniques also ensure that access to distribution of the programs is carefully controlled. A well-defined, structured, and well-implemented change control management process benefits organizations by: ◾ Reducing system disruptions that can lead to business losses ◾ Minimizing the number of back outs caused by ineffective change implementation ◾ Providing consistent change implementation that permits management to allocate staff and system time efficiently and meet scheduled implementation dates ◾ Providing accurate and timely documentation to minimize the impact to change-related problems
Audit Involvement A change control audit or examination would determine whether system changes are authorized, tested, documented, communicated, and controlled. The following areas are typically covered: ◾ Authorization ◾ Testing (unit, system, and user acceptance) ◾ Documentation ◾ Communication ◾ Controls
Insufficient change control processes may have the following risks: ◾ Existing IT systems (e.g., applications, databases, operating systems, networks, etc.) that do not meet the organization's information processing needs, resulting in incomplete, inaccurate, or invalid data. ◾ Financial reporting systems not being able to transfer data between other IT systems and their underlying infrastructure components (e.g., network devices, server hardware). ◾ Inappropriate development and implementation of IT systems that can result in inaccurate calculations, unreliable processing, incomplete recording of transactions, and other misstatements, among others. ◾ Inappropriate procedures to define databases adequately may result in IT systems not capable of processing accurate data. ◾ Inappropriate procedures to implement databases effectively may result in data being either unavailable and/or difficult to access. ◾ Data loss or system outages resulting from errors, omissions, or malicious intent. ◾ Fraud or abuse of company systems and/or data resulting from unauthorized changes.
LEARNING OBJECTIVES 1. Describe the importance of a change control system. 2. Explain the change control management process. 3. Discuss change control management procedures.
4. Define configuration management, and describe sample activities conducted as part of a configuration management plan. 5. Describe organizational change management. 6. Describe the audit involvement in a change control examination.
Change Control Management Procedures Change control management procedures ensure that all members of an organization are following the same process for initiating, approving, and implementing changes to systems and applications. Manage risk Identify who has authority Who can initiate changes Where does approval start
9 Focus Areas • Objectives • Scope • Change Control Management Boards or Committees • Criteria for Approving Changes • Post-Implementation • Points of Change Origination and Initiation • Approval Points • Change Documentation • Review Points
10. What is the objective of a change control management audit? List at least seven procedures in a change control management audit.
A change control audit or examination would determine whether system changes are authorized, tested, documented, communicated, and controlled. The following areas are typically covered: ◾ Authorization ◾ Testing (unit, system, and user acceptance) ◾ Documentation ◾ Communication ◾ Controls The audit should include procedures such as: ◾ Obtaining copies of policies and/or procedures related to change control management. ◾ Interviewing application support staff to determine formal, informal, and emergency procedures used to implement changes to production systems and applications. ◾ Obtaining copies of change control request forms and logs. ◾ Selecting a sample of changes from the changes logged, and determining compliance with policies, procedures, and best practices. ◾ Obtaining copies of help desk call logs to determine adverse impacts from changes. ◾ Determining if new software, and changes to existing software are properly and formally authorized by the appropriate manager. ◾ Determining that all new software and software changes are properly tested, using test files and directories, before they are moved into production. ◾ Determining that all test results are effective, and reviewed by someone other than the originator. ◾ Determining that program and file names are properly controlled to avoid duplicate names. ◾ Determining that all supporting documentation is updated before an application or a change to an application is placed into production. ◾ Determining that production applications are stored in a directory protected from unauthorized changes. ◾ Determining the means of tracking production application changes. Is there a check-out/check-in system to prevent unauthorized changes?
Change Control Management Process (continued) 1 & 2 Generally have prerequisites There are three types of changes: 1. routine (low risk) • minimal impact on daily operations • implemented or backed out quickly and easily 2. non-routine (less frequent) • greater impact on operations • affect many users • lengthy, complex implementation and back out procedures 3. emergency (rare) • any change, major or minor, that must be made quickly, without following standard change control procedures • ideally must be approved by management before they are undertaken and implemented
A change control management process typically covers the following: ◾ Change request form ◾ Impact assessment ◾ Controls ◾ Emergency changes ◾ Change documentation ◾ Maintenance changes ◾ Software releases ◾ Software distribution Changes can include • Application (logic / functionality) • Configuration (parameters, ranges) • Database (raw data, stored procedures) - circumventing controls and accessing raw data • Infrastructure (hardware / connectivity) < will fall under emergency if a piece of equipment fails.
Change Control Management Process If a proposed change introduces significant risk to the operating environment • all parties affected must be notified, • the appropriate level of management must approve the implementation schedule, and • back out plans must be developed to remove the change from the system if necessary
A well-defined, structured, and well-implemented change control management process benefits organizations by: ◾ Reducing system disruptions that can lead to business losses ◾ Minimizing the number of back outs caused by ineffective change implementation ◾ Providing consistent change implementation that permits management to allocate staff and system time efficiently and meet scheduled implementation dates ◾ Providing accurate and timely documentation to minimize the impact to change-related problems
Maintenance Changes Maintenance updates are also considered changes and should be accounted for and authorized in the change control procedures. • should be logged and • the log reviewed to ensure appropriateness
Access controls should be used to • limit the actions of personnel performing the maintenance to only the access required An example of a routine maintenance task is defragmenting a hard disk to remove fragmented files or lost clusters • Windows security patches have to be monitored as well for impacts to the system. CCB would approve maintenance changes as well.
7. Once approved, changes should be scheduled for implementation. At this point, all key people and departments affected by a change should be notified of the upcoming implementation. List those who may require such notification.
All key people and departments affected by a change should be notified of its implementation schedule. Those who may require notification include: ◾ End users of the system ◾ Vendors ◾ Application programmers ◾ IT management ◾ Operations personnel ◾ Data control personnel ◾ Network management ◾ Auditors ◾ Third-party service providers
6 of 9 : Change Control Procedures : Points of Change Origination and Initiation Change control management procedures should identify the users or groups of users who initiate changes. Vendors, computer operators, application or system programmers, or end users are the ones who typically request changes.
All requests are submitted using a standard change request form that contains information, such as: • Date of request • Name of requester • Description and reasons for the change • Areas that may be affected by the change • Approvals to work with the change and for implementation into the production environment • Urgency • Filed by priority and date • sequentially numbered in change log • all changes recorded electronically online and routed for approval and later reviews For emergencies • in response to operational problems • controls established to record, document, and obtain approval • cross-referenced to operational problem reports (for verification) Be on the look out for: • repeat system failures (addressing symptom and not root cause) and need for replacement instead of patching • Amount of resourced dedicated to routine, nonroutine, and emergency change requests
7 of 9 : Change Control Procedures : Approval Points Approval points should be scheduled throughout the change control process. All key people and departments affected by a change should be notified of its implementation schedule. Notify ◾ End users of the system ◾ Vendors ◾ Application programmers ◾ IT management ◾ Operations personnel ◾ Data control personnel ◾ Network management ◾ Auditors ◾ Third-party service providers
An important part of the approval process often overlooked is testing. Test system changes to protect applications Application Changes : 2 Types • system typically do not impact the end user and usually improve the speed of processing transactions (programming support group does the test) • functionality changes are obvious to the end user and should be tested and approved by them Approval levels should be predetermined as to who can approve what changes and be obtained before changes are moved into production.
COBIT 5 defines a set of enablers or processes to help achieve the objectives of the organization. Enablers specific to change management are part of one of COBIT 5's main domains
Build, Acquire, and Implement (BAI). • BAI06 Manage Changes, and • BAI07 Manage Change Acceptance and Transitioning
Change Request Form (change initiation) Requesting the change: Ensures that only authorized changes are implemented by ensuring • record is kept of all changes to the system • resources are allocated • changes are prioritized in terms of ○ benefit, ○ urgency, and ○ effort required, as well as ○ possible impact on existing operations • Cost benefit analysis vs. quality of life Should also manage coordination between changes to account for any interdependence that may exist
Change request procedures should be documented and require: ◾ Record of change requests to be kept for each system ◾ Definition of the authority and responsibility of the IT department, as well as the user. ◾ Approval by management after all the related information is reviewed ◾ A schedule for changes, which also allows for changes outside of the schedule (e.g., emergency changes, etc.) ◾ Management approval for all changes made outside of the schedule ◾ A notification process so that requesters are kept informed regarding the status of their requests
Organizational Culture Defined Organizational culture is composed of structures for incentives, politics, support for inter-organizational relationships, and social repercussions. Incentives offered by the organization can impact the success in adapting • users do not necessarily see the "natural" advantages of adopting the change • incentives should not conflict with other rewards or incentives or the culture
Company politics can have significant effects on the success of a new IT system or change in the organization. • a new IT system can shift the power of information Organizational and technical support A supporting infrastructure includes • organizational practices, • key support staff, and • access to technical and organizational skill sets. Inter organizational relationships and social networks are supported and impacted through the use of IT. • The influence of relationships and social networks are believed to explain why some technologies are supported and others are not.
5 of 9 : Change Control Procedures : Post-Implementation Following implementation of a change, evaluations of whether the change procedures were followed and met their objectives must be performed.
Consider whether: implementation and fall back plans or back out procedures were adequate and final status of the change (i.e., complete, not complete, in progress, failed, or cancelled). • Were implementation and back out procedures adequately performed? Review against change control procedures.
Approving Software Releases Like any change, new software releases require management approval to ensure that the change is authorized, tested, and documented before the new software release is implemented in the production environment.
Controls to address the implementation of new software releases: ◾ Appropriate backups of the system's data and programs ◾ Version control should be accounted for in the process. ◾ Software releases should only be considered received from the prescribed central repository. ◾ A formal handover process is also required
6. Name and summarize the five criteria for approving changes.
Criteria for Approving Changes Approval of changes can be based on the following criteria: ◾ State of the production environment. The change control management board or committee should evaluate the performance and availability of each system in the production environment during the previous week. ◾ Change level. The change level can be based on six factors: risk, impact, communication requirements, install time, documentation requirements, and education or training requirements. ◾ Cumulative effect of all proposed changes. When all changes proposed are considered as a group, the composite effect may result in too much change activity—hence, risk. ◾ Resource availability. The change control management board or committee evaluates the availability of people, time, and system resources when considering the scheduling and approval of changes. ◾ Criticality. There are issues that may affect the impact of the change as viewed by the requester.
Change Documentation In most cases, changes to production environments will require that existing documentation and procedures be updated to reflect the nature of the change. Documentation, procedures, and business processes should actually receive the same consideration and testing as other components impacted by the change. • Adequate and up-to-date documentation minimizes reliance on individual staff.
Current documentation ensures • maintainability of the system • minimizes reliance on individual staff. Change control procedures should include a task for ○ updating documentation, ○ operational procedures, ○ help desk resources, and ○ training materials.
A critical success factor for change control management is the culture of the organization.
Does management • understand the critical role of change control management • recognize the impact change control management has on the success of the organization
Emergency Changes Emergency changes are changes that are required outside of the prescribed schedule. • fix errors in functionality that adversely affect system performance or business processes • fix discovered imminent vulnerabilities to availability, integrity, or confidentiality • emergency changes should not compromise the integrity, availability, reliability, security, confidentiality, or accuracy of the system. ○ should only be implemented in declared emergencies. • pose increased risk as they bypass some of the formal analyses and processes of the traditional change control process
Emergency change procedures should • include description of what constitutes an emergency change • require formal authorization by those responsible for the system and by management before implementation Documentation may not occur until after the change is made due to the nature of the emergency.
Example auditor flow for change control The auditor obtains: • necessary background information, • determines the key controls, • performs limited substantive testing to assess the reliability and effectiveness of the process controls, • evaluates the process
He or she should develop a flowchart documenting the process in which points of origination and initiation, approval points, changes to documentation, and review points are all identified. Furthermore, auditors' developed flowcharts should document procedures for emergency and non-emergency changes.
Configuration Management Configuration management is controlling the physical inventory and relationships among components that form a set of "baseline" objects that are subject to change. Software configuration management (SCM) in its Publication 500-223, "A Frame Work for the Development and Assurance of High Integrity Software."
Objectives of the SCM process are • track the different versions of the software • ensure that each version of the software contains the exact software outputs generated • approved for that version SCM is responsible for ensuring that any changes to software during the development processes are made in a controlled and complete manner. 9 steps (see image)
IT change control management Examples • change request approvals; • application and database upgrades; and • network infrastructure monitoring, • security, and • change management
One of the single most important control areas to ensure the integrity, availability, reliability, security, confidentiality, and accuracy of an organization or IT system supporting the organization. Also one of the three major general computer controls that assess organization's policies and procedures, related to application systems, in order to support the effective functioning of application controls
9. Describe the interdependencies between IT change management and organizational change management.
Organizational change management also deserves consideration due to its potential impact on the organization and the increased relationships with changes in the IT environment. Organizational change is impacted by limitations introduced by the technology and the organization's culture. An organization's culture is composed of its structures for incentives, politics, and relationships with other organizations and the community.
Managing Organizational Change Culture and structure change should be managed through the life cycle. Includes: • people, • organization, and • culture A culture that shares values and is open to change contributes to success. To facilitate the change process, users should • be involved in the design and implementation of the business process and the system • have a communications plan • training and • professional development plans The business processes associated with a software implementation need to be aligned, software: • change the business process to fit the software • modified as little as possible
Organizational change relies on effective communication. • Expectations need to be communicated • Input from users ensure that requirements, comments, and approval are obtained • includes the formal promotion of the implemented change • organization's progress with adopting the change Employees should also know the scope, objectives, activities, and updates and the expectation for change in advance. Training and professional development plans should be incorporated into any effort to introduce change into an organization. • trained in the new processes and procedures • the team assigned to implement the change requires special training in the process and procedures
8 of 9 : Change Control Procedures : Change Documentation As a system ages, the task of keeping track of changes and their impact on the operating system, operations environment, and application programs becomes increasingly difficult.
Organizations should: • maintain a record of all the changes made to the system ○ determine how proposed changes will affect the system ○ included in programmer's notes ○ include changes not implemented • a previous non-implemented idea may have merit if the environment changes
Controls (continued) • Manual and/or automated • Ensure implemented changes are appropriately -> • Detect that only authorized changes were worked/implemented
Particularly, ensure SOD • This avoids implementing unauthorized changes into a live/production environment (risk) Examples of controls include: • independent verification of the success or failure of implemented changes • detection of unauthorized changes Biggest headache / heartburn : Developers with access to production (can push items to production anytime they want). Makes it difficult to track unless there is automated tracking, the changes have to be audited. Preventative changes can help avoid unnecessary issues later on.
5. Describe the controls typically included when following good software distribution practices.
Software distribution practices should include the following controls: ◾ Distribution is made in a timely manner only to those authorized. ◾ A means is in place for ensuring verification of integrity, and this is incorporated into the installation. ◾ A formal record exists of who has received software and where it has been implemented. This record should also match with the number of purchased licenses.
8. Summarize how the National Institute of Standards and Technology defines the process of software configuration management.
The National Institute of Standards and Technology defined the process of software configuration management (SCM) in its Publication 500-223, "A Frame Work for the Development and Assurance of High Integrity Software." The major objectives of the SCM process are to track the different versions of the software and ensure that each version of the software contains the exact software outputs generated and approved for that version. 1. Identification of Software Configuration Items (CIs) 2. Problem Reporting, Tracking, and Corrective Action 3. Change Control 4. Change Review 5. Traceability Analysis 6. Configuration Control 7. Configuration Status Accounting 8. Configuration Audits and Reviews 9. Archive, Retrieval, and Release
Software Distribution The purpose of software distribution is to ensure that all copies of the software are distributed in accordance with their license agreements. Minimizes the risk • multiple versions of the software being installed • account for a verification of the software's integrity • compliance with software license agreements Violating software agreements has legal ramifications for companies, including costs for installed copies not licensed, damages and legal fees, and loss of corporate reputation.
The Software & Information Industry Association (SIIA) is an organization composed of companies of the software and information industry. • protect the intellectual property of their members. • combat software piracy Software distribution practices should include the following controls: ◾ Distribution is made in a timely manner only to those authorized. ◾ A means is in place for ensuring verification of integrity, and this is incorporated into the installation. ◾ A formal record exists of who has received software and where it has been implemented.
The objective of a change control management audit is to ensure that changes implemented in production systems and applications do not adversely affect system, application, or data availability or integrity. Auditors verify • all changes made to the production systems and applications are appropriately authorized and documented
The audit should include procedures such as: • Obtaining copies of policies and/or procedures • Interviewing application support staff • Selecting a sample of changes from the changes logged • Obtaining copies of help desk call logs
9 of 9 : Change Control Procedures : Review Points Change control management procedures must be carefully coordinated and reviewed if changes to the system are to be successfully implemented.
The following steps should be included ◾ Pending changes are reviewed with key personnel in operations, application programming, network and data control, and auditing. ◾ Written change notification is sent to all interested parties ◾ Sufficient response time is provided ◾ Periodic change control meetings ◾ Reports are filed on implemented changes to record post-implementation results and successes as well as problems.
Organizational Change Management Organizational change management relates to the organization's ability and methods for adopting, managing, and adapting to change.
There are many studies to support the assertion that many IT projects fail due to the inability of the organization to adapt to the change necessary to take advantage of IT. Organizations find it difficult to change their practices and structures, especially if the application is perceived to be in conflict with the company's culture.
3. Discuss the three types of changes typically implemented in systems and applications.
There are three types of changes: routine, nonroutine, and emergency. Routine changes typically have minimal impact on daily operations. They can be implemented or backed out quickly and easily. Nonroutine changes potentially have a greater impact on operations. They affect many users and frequently have lengthy, complex implementation and back out procedures. An emergency change is any change, major or minor, that must be made quickly, without following standard change control procedures.
Importance of a Change Control System Establishing controls helps to ensure • only authorized programs and • authorized modifications are implemented • make sure all programs and program modifications are properly authorized, tested, and approved • reduces the risk of disruption of IT services An IT change control system ensures proper segregation of duties between who • initiates the change, • who approves the change, and • who implements the change into a production environment. The change control management process should be reviewed periodically to evaluate its effectiveness.
Without proper controls ◾ A knowledgeable programmer could secretly modify program code to provide a means of bypassing controls to gain access to sensitive data. ◾ The wrong version of a program could be implemented, thereby perpetuating outdated or erroneous processing that is assumed to have been updated. ◾ A virus could be introduced, inadvertently or on purpose, that disrupts processing.
Organizational change control management
impacted by limitations introduced by the technology and the organization's culture
Change control management is the
process that ensures the effective implementation of changes in an IT environment Minimize the likelihood of • disruption • unapproved changes • errors consists of • analysis, • review, • approval, and • implementation of changes
4 of 9 : Change Control Procedures : Criteria for Approving Changes Approval of changes can be based on the following criteria: • State of the production environment • Change Level - The change level can be based on six factors: risk, impact, communication requirements, install time, documentation requirements, and education or training requirements.
• Cumulative effect of all proposed changes • Resource availability • Criticality
Examples of Audit Procedures • Obtain copies of P&P's on change management • Interview staff about procedures to implement changes • Obtain/inspect copies of change request forms/logs • Select a sample of the changes logged to: (1) determine compliance with P&P's and best practices, and (2) trace back to change control request logs. • Determine proper authorization of new software or changes
• Determine that proper testing took place, test results were reviewed and approved before change was implemented in production • Test that program and file names are properly controlled to avoid duplicate names • Inspect all supporting documentation and determine that it is updated accordingly before implementation into production • Companies may control and mitigate risk differently (but effectively)
What is considered a "change"? • Updating personnel or customer information - not normally considered a change, but process changes around these should be monitored. • Generating (specific) reports for Management's decision making purposes Generating a report is not a change, changing a report definitely is. • custom (medium audit) or default (low audit) • DIY (high audit)
• Fixing bugs, adding new functionality, implementing new software releases, improving the GUI, etc. Changes can also result from configuration management and business process redesign.
Change Control Management Process Covers/involves the following: • Requesting the change • Assessing the impact of the change (result) • Implementing adequate change controls • Handling emergency changes (what is the protocol)
• Revising and updating change documentation • Authorizing maintenance changes • Approving software releases (group multiple changes into a release) • Ensuring adequate distribution of software CCM process should be part of an organizations policies and procedures.
Impact Assessment Each change requires an impact assessment to ensure that potential negative consequences (resulting from the implementation of the change) are identified and planned for. • Compliance with existing policy, procedures, and processes ○ At the end of the day the leadership has to account for findings and either change or accept risk
• include supporting evidence of the change's impact assessment • should include specific measures compared with prescribed limits • reviewed to determine the effect on compliance with existing policy, procedures, and processes. • Changes can introduce risk to the confidentiality, integrity, and availability ("CIA") of data within a system.
Ineffective Change Control : Risks • Security features could be inadvertently or deliberately omitted or turned off. • Malicious code could be introduced • erroneous processing could be perpetuated
• programmers could modify program code to bypass access controls to sensitive data • viruses could be introduced disrupting processing.
Examples of Audit Procedures • Ensure effective implementation of: • backups of system's data and programs
• version control to track version files • "formal hand-over process" (i.e., only authorized personnel can move new/updated releases to production) • Test that releases are received from valid sources
3 of 9 : Change Control Procedures : Change Control Management Boards or Committees Common entities to deal with coordinating the communication of changes within an organization. Following are possible sources for members of a change control management board or committee: ◾ Application development/support teams ◾ Data center operations ◾ Networks/telecommunications ◾ Help desk ◾ Key user representatives Selected based on their • in-depth perspective • broad knowledge of the areas they represent • awareness for other functional areas involved. Goal is to ensure that the decisions made are objective as these changes have the potential of affecting the entire organization.
○ Meet daily or weekly ○ Changes considered during daily review meeting: • Emergency releases and fixes • Database clones, restores, links, or new instances • "Fast-tracked" requests for new functionality • Application or system maintenance • Upgrades to development tools ○ Topics covered during weekly review meetings • Migrations of new releases • Upgrades to production or development tools • Environment setup for migrations or tools • Third-party upgrades • Configuration changes • Hardware changes
1. Implementing policies, procedures, and techniques assist changes and modifications to systems (e.g., programs, applications, etc.) to be properly authorized, tested, approved, and carefully distributed or controlled. Without proper controls like the one above, there is a risk that unauthorized changes or modifications could introduce processing irregularities or malicious code, among many others. List examples of other risks that could potentially impact the security of the systems.
◾ A knowledgeable programmer could secretly modify program code to provide a means of bypassing controls to gain access to sensitive data. ◾ The wrong version of a program could be implemented, thereby perpetuating outdated or erroneous processing that is assumed to have been updated. ◾ A virus could be introduced, inadvertently or on purpose, that disrupts processing.
4. Name and describe four risks associated with the software release process.
◾ Appropriate backups of the system's data and programs ◾ Version control should be accounted for in the process. ◾ Software releases should only be considered received from the prescribed central repository. ◾ A formal handover process is also required
1 of 9 : Change Control Procedures : Objectives Potential objectives for change control management procedures include: ◾ Document reason(s) for the change ◾ Identify personnel requesting the change ◾ Formalize who will make the change ◾ Define how the change will be made ◾ Assess the risk of failure and impact of the change ○ Do multiple changes affect each other
◾ Document fall back plans and back up procedures should the need arise ◾ Aid in communicating with those affected by the change ◾ Identify disaster recovery considerations ◾ Identify conflicts between multiple changes ◾ Enhance management's awareness of the change management process
Controls Controls via processes and automated tools are needed to ensure the integration of change requests, software changes, and software distribution. • consistent with the requirements of the Sarbanes-Oxley Act of 2002 Change controls also ensure • detection of unauthorized changes, • reduction of the errors due to system changes, and • an increase in the reliability of changes Other relevant controls to assess the change control process include ensuring that: ◾ Business risks and the impact of proposed system changes are assessed by management before implementation into production environments. Assessment results are used when designing, staffing, and scheduling implementation of changes to minimize disruptions to operations. ◾ Requests for system changes (e.g., upgrades, fixes, emergency changes, etc.) are documented and approved by management before any change-related work is done.
◾ Documentation related to the change implementation is adequate and complete. ◾ Change documentation includes the date and time at which changes were (or will be) installed. ◾ Documentation related to the change implementation has been released and communicated to system users. ◾ System changes are tested before implementation into the production environment consistent with test plans and cases. ◾ Test plans and cases involving complete and representative test data (instead of production data) are approved by application owners and development management. Guidance from ISO / IEC 20000, COBIT, and the ITIL frameworks.
2 of 9 : Change Control Procedures : Scope Scope The scope for change control management procedures can include: ◾ Hardware ◾ Operating system software ◾ Database instances ◾ Application software
◾ Third-party tools ◾ Telecommunications ◾ Firewalls ◾ Network (e.g., local area network, wide area network, routers, servers, etc.) ◾ Facilities environment (e.g., uninterruptible power supply, electrical, etc.)