Automate Change Management Evidence Collection

Clockspring was asked by a customer to automate their evidence collection for FISMA compliance that their Change Management policy was being followed across more than 700 Information Systems each containing dozens of individual computer systems. It was estimated that quarterly evidence collection took 4 hours per system and costing the organization over $500,000 per year for this single control. By implementing automation for this process, the recurring cost falls to $0 and is one of the many use cases deployed in their Clockspring instance.

Challenge

The previous evidence collection process had each system user log into their GRC tool (eMASS), find their inventory list for each system, then run reports against their Change Management tool (ServiceNow) for each system for every change that occurred in the prior 3 years. Changes may have been recorded at any level within the hierarchy, which further complicated this process. They then needed to de-duplicate these reports as some Change Requests included multiple systems from the inventory and they wanted each Change Request to be pulled into evidence one time. As this process was heavily manual there were commonly errors found during audits and while the policy dictated this should be done quarterly, it was commonly done yearly - at best.

Solution

Clockspring was able to easily integrate the two systems together to fully automate this data collection process and added the extra benefit of alerting when hosts were not properly listed in their Configuration Management Database (CMDB). This included performing the following steps:

1. Query eMASS for Information System data
• Their structure had a list of Information Systems then contained within that Information System a system inventory was found. Clockspring recursively queried these records and began processing data at both the Information System and individual computer level.
2. Ensure each asset as a record in the CMDB
• All Change Requests are linked to an entry in the CMDB, so if an asset was not found in the CMDB there is no way to properly associate it with a Change and this would be against the policy. Clockspring was able to validate that each host had a record in the CMDB and if the host was not found, an incident would be created to have this host added.
• Clockspring can also automatically create new records for these missing hosts if desired, but the customer requested a ticket be automatically created to track this issue vs an automated record creation.
3. Query Change Requests associated to each asset
• Once we are sure the asset has an entry in the CMDB, Clockspring then queries the Change Management module to pull all changes that are linked to that asset in the past 3 years. Any attribute can be pulled down, but the customer requested that Request number, Change Owner, Approver, Title, Description, Start and Completion date, and associated asset(s) were included in the output.
4. Write each Change Request and associated attribute information to a caching database
• As we want to ensure that each Change Request is only captured one time per Information System even though it could be associated to multiple assets, we chose to use a database to cache our attribute information for de-duplication. Each Change Request is compared to the database to determine if a new entry needs to be created (new Change Request) or if a previous record can be updated.
5. Provide consolidated report back to GRC tool
• Once we have all the Change Request information collected, we simply have to query our database to pull the relevant data in a Comma Separated Value (CSV) format and write it back as a new artifact on the applicable Information System

Impact

The customer now had regular updates to every Information System with no manual data collection required. This process took 2 days to build in the Clockpsring application with no custom code and stored in a version control system to enable tracking of changes to their data collection process. Now every Information System Owner can be sure that their CM-3 artifacts are always up to auditor standards while requiring no direct input from the owner, allowing them more time to work on the truly manual processes involved in supporting an audit.

Clockspring can be used to automate many manual tasks associated with compliance activities beyond just those listed in this use-case. See or case study on Automating Non-Technical Controls.