Appendix M. Change Management QUESTIONS

Transcription

1 Appendix M Change Management Change management is the process by which changes are introduced into the information technology (IT) environment. The change management process facilitates the migration of changes to the production environment and helps ensure that all changes are properly tested and that all parties affected by the change have approved it. The other aspect of the change management process is the tracking of changes i.e., ensuring that changes are properly documented and that an audit trail is associated with all changes that are made. The main objective of change management is to ensure that any negative impact to the production environment is minimized while required changes are made using a standard methodology. Changes subject to the change management process can include changes to the network infrastructure, specific applications, or devices, as well as other changes. The time that the change management process takes will vary depending on the impact of the change. As an example, for changes that affect many people or groups, the process will require more approvals than for a minor change to an application, which affects a small number of people. The change management process must also consider emergency changes, in which case, testing and obtaining approvals for change need to be performed quickly. The main risks associated with not having a sound change management policy and process include: No audit trail of changes made to the production environment is maintained, making it difficult to recreate the environment if needed. Untested changes may introduce a security vulnerability into the production environment. QUESTIONS 1. Is a change management policy in place that has been communicated and is readily accessible? Guidance: A change management policy is essential in ensuring that personnel follow good change management practices. As with other security policies, having a change management policy communicates management s expectations and allows enforcement of change management. Although

2 some individuals or groups might understand the value of change management, others might not know. It is very important for all individuals and groups to understand the value of change management because a given change can affect multiple groups. To ensure that changes do not have any adverse effects, all affected parties must understand the implication of changes and approve them. When reviewing the policy, ensure that it at least addresses the following (based on International Standards Organization [ISO] 17799): Documentation Impact of changes Approval of changes Communication of changes Scope what changes are covered Risk: The risks associated with not having a change management policy include: It is difficult to enforce change management if no policy exists mandating users to follow it. Individuals may follow inconsistent change management practices. 2. Is there a documented procedure in place for change management and is it followed? Guidance: The change management policy is what should be done and the procedure is the step-by-step explanation of how change management should be done. It is important to have a documented process to ensure that everyone is doing change management consistently. The change management procedure should at least address the following: Change control windows for normal and emergency change control. Initiation and approval of changes who can initiate and who can approve changes. Testing requirements. Documentation requirements a change management form is useful in facilitating this process. Other items that can be addressed in the procedure, based on the environment, but the list above is a minimum requirement. The procedure should be readily available (it can be posted on the company intranet) to employees. Risk: The risk of not having a documented policy is that critical aspects of the change management process may not be done properly or consistently. This can lead to untested and unapproved changes entering the production environment.

3 3. Is there a form to help facilitate the change management process? If not, how is the process documented? Guidance: An important aspect of change management is documentation. The documentation provides an audit trail of key aspects of changes including: What was done Why it was done Impact of the change Who approved it When the change was made It is important to capture this information on a consistent basis for all changes. A standard form for change management facilitates the process and ensures that change-related information is documented. The method of documentation can vary and depends on the business requirements. Companies use various methods including manual forms, spreadsheets, sophisticated workflow tools, and others. Risk: Without a form or some mechanism to track changes, the following risks exist: Lack of change documentation, which leads to Lack of accountability for changes Lack of an audit trail, which is an issue if changes have to be recreated Inconsistent change documentation 4. What information is required when requesting a change? Guidance: Users should be required to gather some minimum information when requesting a change so that approvers have the information necessary to evaluate it. Basic information that should be required includes the following: What change is being requested Why the change is necessary Impacts of the change e.g., systems, departments, business processes Urgency of the change

4 Risk: The change approval process can be very difficult if the approvers do not have the information necessary to make an informed decision on a change e.g., whether the change can be put into production, whether all impacts have been considered. This can lead to important changes not being implemented on a timely basis. 5. Are changes tested in a nonproduction environment before being moved into production? Does management enforce this process? Guidance: It is critical to test changes before implementing them in the production environment. A test environment that closely resembles the production environment is ideal for testing changes. In some companies, there is an environment set up for production support purposes, which is also good for testing changes. In some cases, a test environment might not be feasible. For example, it is sometimes not feasible to test network infrastructure changes because there is no test environment where it can be done. Testing allows you to see the nature and impact of the change and validate that the change is working as intended. Risk: The risk of not testing changes can be significant. Untested changes can result in new security vulnerabilities in the production environment. Untested changes may also not work as intended, which can result in other adverse effects in the environment. 6. Who is responsible for ensuring that any changes to the production system follow the change management process? Guidance: As with other security-related processes, someone should be responsible for ensuring that changes to production systems follow the change management process. For this to happen, there must be individuals who own the change management process and individuals who have ownership of production systems. Both of these groups must enforce the change management process. Although changes can be initiated from several places, there should be a person (or committee) who is responsible for ensuring that all change requests are funneled through a central mechanism. This will help ensure that changes are made subject to the appropriate scrutiny and subsequent approval.

5 Risk: Ownership translates into accountability. Without someone or some group owning the change management process, no accountability exists; this can result in untested and unapproved changes being moved into the production environment. 7. If a change control committee exists, does someone in the group represent security? Guidance: Many changes will have security implications. As security is something that is often overlooked, a security representative on the change control committee helps ensure that the security impact of changes is considered during the change review process. Risk: If the change control committee does not include security representation, a risk exists that security will not be considered when reviewing changes. This could result in security vulnerabilities being introduced into the production environment. 8. Are there specific change control windows when changes are made? Is this enforced? Guidance: To bring some discipline into the change process, changes should occur during regularly scheduled change-control windows. These windows of time should occur when the potential impact to users is minimal. This is especially important when changes may cause systems to be unavailable for an extended period. In these cases, end users should be informed prior to making changes. The advantage of having change-control windows is that they allow departments to plan for changes and for a formal and structured process to review changes. Risk: Without regularly scheduled change-control windows, a risk exists of changes being made in a manner that can be disruptive to users. In addition, the lack of change-control windows can result in users not properly planning changes and trying to force changes through an emergency process.

6 9. How are emergency changes handled? Guidance: In any environment, some changes will occur that are truly emergencies i.e., they must be made immediately. The need to make these changes quickly must be balanced with ensuring that all relevant impacts of the changes are considered. In these cases, there should be an emergency change process, which still ensures that the change management process is followed just in an accelerated manner. Appropriate personnel should review and approve changes, and there should be an audit trail of what changes were made. To help users determine what changes are emergencies, the change management policy or procedure should contain guidelines for what constitutes an emergency change so users know what is and is not an emergency. Risk: Without a process for emergency changes, a risk exists that critical changes will not be implemented in production on a timely basis. In addition, untested and unapproved changes may be introduced into the production environment. 10. Who can initiate a change? Is there an list of people or roles authorized to initiate a change? Guidance: To ensure that only reasonable changes are considered, there should be some limitations on who can initiate and present changes to the larger group i.e., a central group of people who are responsible for managing the change process. The members of the change-control committee have other jobs, and their time should not be wasted with reviewing changes that have not gone through any initial screening. This takes time away from discussing the meaningful change requests. One way to limit who can initiate changes is to restrict it to certain titles e.g., only managers and above can initiate changes. Other methods include having departmental level management doing the initial screening of change requests. Risk: The risk of not limiting who can make changes is that trivial or wrong changes might be submitted for review. As a result, meaningful changes will not receive the appropriate time for discussion.