City of Milwaukee Employes Retirement System (ERS)

Transcription

1 City of Milwaukee Employes Retirement System (ERS) Change Management Audit Report OCTOBER 1, 2009 JEFFERSON WELLS 330 EAST KILBOURN AVENUE, SUITE 1075 MILWAUKEE, WI (414) JACK BULLIS, ENGAGEMENT MANAGER CONNIE MCDONALD, DIRECTOR

2 TABLE OF CONTENTS EXECUTIVE SUMMARY... 3 Scope... 3 Conclusion... 4 PROCEDURES PERFORMED... 5 ISSUE, RECOMMENDATIONS & MANAGEMENT S RESPONSE... 6 Formal Change Management Policy and Procedures... 6 Page 2 of 6

3 EXECUTIVE SUMMARY Scope As part of the annual audit plan, Jefferson Wells completed an audit of the change management process at ERS. Change management is the process used to monitor and control modifications made to systems. Modifications should be monitored and controlled to help ensure unauthorized or untested changes are not installed on production equipment. An increase in system vulnerabilities and downtime can occur when change management processes are not in place. Change management policies and procedures help ensure that all modifications are approved and fully tested before they are moved to the production environment. The objective of the change management audit was to determine whether ERS has implemented a change management process that assesses the risk of its application, hardware, operating system, and database changes; and requires appropriate efforts to monitor and mitigate those risks. A comprehensive change management program generally includes an assessment of risks to identify needs, the importance and criticality of the function, and the necessary controls and reporting processes over the activity. Based on the risk level, the process should define the need for, and extent of the following activities: Controls provide reasonable assurance that system changes are authorized and appropriately tested before being moved to production Requests for program changes, system changes, and maintenance are standardized, logged, approved, documented, and subject to formal change management procedures Emergency change requests are documented and subject to formal change management procedures Controls are in place to restrict migration of programs to production by authorized individuals only Fieldwork was completed from March 16, 2009, through April 30, The audit included interviews (IT and business unit personnel), observations, sample testing, and review of documentation. Page 3 of 6

4 Conclusion This report reflects the results of the Jefferson Wells change management audit. Based on the results of this review, ERS has implemented certain elements of a comprehensive change management program including the following: Requests for MERITS application changes are standardized, documented, and subject to formal change management procedures Requests for changes to the MERITS application are prioritized, using clearly defined criteria, and are addressed following pre-defined schedules based on severity or priority Emergency application change requests are documented and subject to formal change management procedures A log is maintained of change history steps for application changes as a part of the PIR (Program Investigation Request) or CCR (Change Control Request) ticket A separate test environment is used for the testing of all changes before being migrated into production Controls are in place to restrict migration of application programs to production only by authorized individuals ERS does not have a formalized change management policy. It has developed draft MERITS Testing Standards (Guidelines) and has implemented an Operating System Updates Procedure. Established procedures appear to be followed. At the time of this audit, changes such as patches and actions taken to mitigate vulnerabilities were not being formally documented. These changes go through the technical change management process by deploying and testing first in the development environment, then in system test and ultimately in production. Significant changes related to software upgrades are tracked through a change control request in the tracking system. (See change management finding in the Information Security Audit report dated July 20, 2009.) ERS has taken steps to develop formal policies and procedures, including change management. Page 4 of 6

5 PROCEDURES PERFORMED The following procedures were performed during the internal audit. Conducted interviews with key IS personnel. Reviewed all policies and procedures (finalized or draft) related to change management practices. Tested a sample of 25 Change Control Requests and Program Investigation Requests for changes occurring during the period January 2, 2008, through March 23, 2009, including: o Evidence of priority determination o Ownership o Release assignment o Testing o Status o Documentation of steps performed o Production migration or closing without change Reviewed the process for emergency changes. Conducted interviews with business process owners and QA personnel regarding change initiation, testing, and implementation approval. Verified segregation of duties regarding migration of changes into the production environment. Page 5 of 6

6 ISSUES, RECOMMENDATIONS & MANAGEMENT S RESPONSE Formal Change Management Policy and Procedures A formal, documented Change Management Policy does not exist. Although the guidelines followed for MERITS changes appear to be consistently followed, they are in draft form. Finalizing, approving, and implementing policies and procedures could only help enforce and standardize the practices in place within ERS. Recommendation: Management should develop a formal Change Management Policy that provides specific guidance regarding application changes, operating system changes, hardware changes, emergency changes, and patch management. Procedures should be formalized to address hardware (configuration settings, maintenance, planned, unplanned, and emergency changes) as well as application and database changes. Management Response: The ERS has a fairly consistent change management approach and methodology. We are currently in the process of documenting our procedures. Estimated Completion Date: December 31, 2009 Responsible Party: Martin Matson Page 6 of 6