Auditing CMDB (Configuration Management Database) Procedures

Inaccuracy is a death knell for a CMDB. There is no measurement quite as important for the configuration management service as the accuracy of the database. Because of the importance of accuracy, a set of procedures to audit your CMDB is critical. The procedures should document the following:
• How often audits will occur
• How the set of data being audited will be selected
• What data will be compared for the audit
• How discrepancies will be resolved
• How you will know when an audit is completed

In a sense, the audit steps are the last in the overall configuration management process because they validate that the other parts of the process are working well. But never let the audit steps be the least steps in your process, or you run the risk of executing the other steps to no purpose.

Auditing typically is done by comparing two things. One of the critical policies you need to define sets the scope for this comparison. Assume that you are tracking documents in your CMDB, and the document CI has attributes for version, author, and date of last update. In conducting a CMDB audit, you look at the actual document in a word processor and find that the author name listed in the document is different from the value in the author attribute of your CMDB. Your policy dictates whether this is an inaccuracy, and if so, what the severity of the error is.

The five pillars of the ITIL process framework are planning, identification, control, tracking, and auditing. If your desire is to implement configuration management that is in accord with the best practices defined by ITIL, you need to document processes in each of these areas. The rest of this chapter describes specific issues to consider in building out your processes.