A Blockchain-based Approach for Continuous Auditing in IT Change Management

Abstract: Information Technology (IT) changes are a critical part of the day-to-day operations of most modern organizations, and poor change delivery can pose severe risks to business continuity. In this context, frameworks like COBIT seek to provide guidance for best practices and procedures for proper IT change management, and shareholders often resort to auditing to ensure change delivery following defined procedures. To this end, third-party audit companies perform periodic inspections of the target IT system, log of changes deployed, etc. However, the sheer volume of changes, ever-increasing change complexity, and automation make it challenging to deliver change auditing between inspection events. To tackle this issue, we propose in this paper a blockchain-based approach for continued IT change auditing. In summary, we instrumented a change orchestration framework with a solution for certifying each change deployed in the target system through blockchain. The chain of IT changes in between inspection events is then used to ensure that only certified changes were deployed in the infrastructure.