Appendix M. Change Management QUESTIONS



Similar documents
Ten questions to ask when evaluating SAP change management solutions

Moving From a Spreadsheet to a Document Control Software System A Case Study

Securing SharePoint 101. Rob Rachwald Imperva

Data Migration for Legacy System Retirement

SPEED AND EASE Spreadsheets. Workflow Apps. SECURITY Spreadsheets. Workflow Apps

The Phoenix Corporate Legal Suite. Efficient Document, , and Matter Management for Law Departments and In-house Counsel

Seven Steps To Measure Supplier Performance

THE INFORMATION TECHNOLOGY PROJECT CHARTER

How to Secure Your SharePoint Deployment

Copyright Soleran, Inc. esalestrack On-Demand CRM. Trademarks and all rights reserved. esalestrack is a Soleran product Privacy Statement

Core Fittings C-Core and CD-Core Fittings

WHITE PAPER. From Building Information Management to Facilities Management

White Paper. Change Management: A CA IT Service Management Process Map

SEVEN WAYS THAT BUSINESS PROCESS MANAGEMENT CAN IMPROVE YOUR ERP IMPLEMENTATION SPECIAL REPORT SERIES ERP IN 2014 AND BEYOND

The purpose of this document is to define the Change Management policies for use across UIT.

Job Description (For Positions in CAW Local 555, Unit 1)

Industry Services Quality Management System

WHY ISN T EXCEL GOOD ENOUGH INTRODUCTION THE COMPARISON: EXCEL VS. PRIMAVERA S CONTRACT MANAGER EXECUTIVE SUMMARY MICROSOFT OFFICE EXCEL OPTION

A. Student Learning Outcomes (SLO) for the M.S. Degree: Students will

CITY OF SAN ANTONIO OFFICE OF THE CITY AUDITOR. Audit of Customer Service/311. CRM System. Project No. AU April 15, 2013

Data Governance Best Practice

COGNOS PLAN-TO-PERFORM BLUEPRINTS CAPITAL EXPENDITURE PLANNING

COMPANY NAME. Environmental Management System Manual

Regulatory Information and Data Quality Assurance Policy

The Elements of Data Accuracy: A Step-by-Step Process for Improving Data Quality

Document Control Management System

5 Things You Didn t Know About Cloud Backup

PERFORMANCE DATA QUALITY STRATEGY

7 Directorate Performance Managers. 7 Performance Reporting and Data Quality Officer. 8 Responsible Officers

Total Reconciliation Solution (T-Recs ) Enterprise A Control Framework for Governance, Risk Management and Compliance

Australian Safety and Quality Framework for Health Care

The amount of data you have doubles every 12 to 18 months. Information Asset Management that Drives Business Performance Jeremy Pritchard 10/06/2015

Business Enhancement Ltd

Netstar Strategic Solutions Practice Development Methodology

Disaster Recovery and Business Continuity Plan

Problem Management: A CA Service Management Process Map

Best Practices for Protecting Your IBM FileNet P8 Information

Phase I Conduct a Security Self-Assessment

THE ROLE OF PROJECT MANAGEMENT IN KNOWLEDGE MANAGEMENT

Beyond Business File Sharing

Essentials of Financial Consolidation Applications. A white paper prepared by PROPHIX Software October 2010

An Introduction To CRM. Chris Bucholtz

Autodesk Vault Family of Products. Manage your entire design.

Validating Enterprise Systems: A Practical Guide

Department of Information Technology Remote Access Audit Final Report. January promoting efficient & effective local government

Optimize Brand Asset Management with Enterprise Content Management

DORSET & WILTSHIRE FIRE AND RESCUE AUTHORITY Performance, Risk and Business Continuity Management Policy

Real-Time Security for Active Directory

Documenting and Managing Infrastructure Connectivity

Information Management Advice 39 Developing an Information Asset Register

Toronto Maintenance Management System Application Review. the exercise to harmonize business practices is completed;

Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

Effectively Managing EHR Projects: Guidelines for Successful Implementation

T E elite@elitetele.com W VARONIS VARONIS DATAPRIVILEGE DATAPRIVILEGE. DataPrivilege

Energy Management. System Short Guides. A Supplement to the EPA. Guidebook for Drinking Water and Wastewater Utilities (2008)

White Paper. Incident Management: A CA IT Service Management Process Map

How to Survive an FDA Computer Validation Audit

VARONIS WHITEPAPER Next Generation Enterprise Search

Corporate Incident Response. Why You Can t Afford to Ignore It

ONESOURCE INDIRECT TAX

A Guide to the Cyber Essentials Scheme

Cordys Business Operations Platform

Successful Projects Begin with Well-Defined Requirements

Audit of IT Asset Management Report

ez Marketing Automation

Information Technology Asset Management: Control and Compliance

Map Your Lead Qualification Process into Your CRM

Cloud Services Catalog with Epsilon

Whitepaper Data Governance Roadmap for IT Executives Valeh Nazemoff

Quality Management Systems for ETQAs

Defect Tracking Best Practices

CRM for Real Estate Part 1: Why CRM?

Software License Asset Management (SLAM) Part III

Balancing and Settlement Code BSC PROCEDURE BSCP537. QUALIFICATION PROCESS FOR SVA PARTIES, SVA PARTY AGENTS AND CVA MOAs

fs viewpoint

Project, Programme and Portfolio Management Delivery Plan 6

DERBYSHIRE COUNTY COUNCIL BUSINESS CONTINUITY POLICY

Enhance visibility into and control over software projects IBM Rational change and release management software

FTP-Stream Data Sheet

Development, Acquisition, Implementation, and Maintenance of Application Systems

Transcription:

Appendix M Change Management Change management is the process by which changes are introduced into the information technology (IT) environment. The change management process facilitates the migration of changes to the production environment and helps ensure that all changes are properly tested and that all parties affected by the change have approved it. The other aspect of the change management process is the tracking of changes i.e., ensuring that changes are properly documented and that an audit trail is associated with all changes that are made. The main objective of change management is to ensure that any negative impact to the production environment is minimized while required changes are made using a standard methodology. Changes subject to the change management process can include changes to the network infrastructure, specific applications, or devices, as well as other changes. The time that the change management process takes will vary depending on the impact of the change. As an example, for changes that affect many people or groups, the process will require more approvals than for a minor change to an application, which affects a small number of people. The change management process must also consider emergency changes, in which case, testing and obtaining approvals for change need to be performed quickly. The main risks associated with not having a sound change management policy and process include: No audit trail of changes made to the production environment is maintained, making it difficult to recreate the environment if needed. Untested changes may introduce a security vulnerability into the production environment. QUESTIONS 1. Is a change management policy in place that has been communicated and is readily accessible? Guidance: A change management policy is essential in ensuring that personnel follow good change management practices. As with other security policies, having a change management policy communicates management s expectations and allows enforcement of change management. Although

some individuals or groups might understand the value of change management, others might not know. It is very important for all individuals and groups to understand the value of change management because a given change can affect multiple groups. To ensure that changes do not have any adverse effects, all affected parties must understand the implication of changes and approve them. When reviewing the policy, ensure that it at least addresses the following (based on International Standards Organization [ISO] 17799): Documentation Impact of changes Approval of changes Communication of changes Scope what changes are covered Risk: The risks associated with not having a change management policy include: It is difficult to enforce change management if no policy exists mandating users to follow it. Individuals may follow inconsistent change management practices. 2. Is there a documented procedure in place for change management and is it followed? Guidance: The change management policy is what should be done and the procedure is the step-by-step explanation of how change management should be done. It is important to have a documented process to ensure that everyone is doing change management consistently. The change management procedure should at least address the following: Change control windows for normal and emergency change control. Initiation and approval of changes who can initiate and who can approve changes. Testing requirements. Documentation requirements a change management form is useful in facilitating this process. Other items that can be addressed in the procedure, based on the environment, but the list above is a minimum requirement. The procedure should be readily available (it can be posted on the company intranet) to employees. Risk: The risk of not having a documented policy is that critical aspects of the change management process may not be done properly or consistently. This can lead to untested and unapproved changes entering the production environment.

3. Is there a form to help facilitate the change management process? If not, how is the process documented? Guidance: An important aspect of change management is documentation. The documentation provides an audit trail of key aspects of changes including: What was done Why it was done Impact of the change Who approved it When the change was made It is important to capture this information on a consistent basis for all changes. A standard form for change management facilitates the process and ensures that change-related information is documented. The method of documentation can vary and depends on the business requirements. Companies use various methods including manual forms, spreadsheets, sophisticated workflow tools, and others. Risk: Without a form or some mechanism to track changes, the following risks exist: Lack of change documentation, which leads to Lack of accountability for changes Lack of an audit trail, which is an issue if changes have to be recreated Inconsistent change documentation 4. What information is required when requesting a change? Guidance: Users should be required to gather some minimum information when requesting a change so that approvers have the information necessary to evaluate it. Basic information that should be required includes the following: What change is being requested Why the change is necessary Impacts of the change e.g., systems, departments, business processes Urgency of the change

Risk: The change approval process can be very difficult if the approvers do not have the information necessary to make an informed decision on a change e.g., whether the change can be put into production, whether all impacts have been considered. This can lead to important changes not being implemented on a timely basis. 5. Are changes tested in a nonproduction environment before being moved into production? Does management enforce this process? Guidance: It is critical to test changes before implementing them in the production environment. A test environment that closely resembles the production environment is ideal for testing changes. In some companies, there is an environment set up for production support purposes, which is also good for testing changes. In some cases, a test environment might not be feasible. For example, it is sometimes not feasible to test network infrastructure changes because there is no test environment where it can be done. Testing allows you to see the nature and impact of the change and validate that the change is working as intended. Risk: The risk of not testing changes can be significant. Untested changes can result in new security vulnerabilities in the production environment. Untested changes may also not work as intended, which can result in other adverse effects in the environment. 6. Who is responsible for ensuring that any changes to the production system follow the change management process? Guidance: As with other security-related processes, someone should be responsible for ensuring that changes to production systems follow the change management process. For this to happen, there must be individuals who own the change management process and individuals who have ownership of production systems. Both of these groups must enforce the change management process. Although changes can be initiated from several places, there should be a person (or committee) who is responsible for ensuring that all change requests are funneled through a central mechanism. This will help ensure that changes are made subject to the appropriate scrutiny and subsequent approval.

Risk: Ownership translates into accountability. Without someone or some group owning the change management process, no accountability exists; this can result in untested and unapproved changes being moved into the production environment. 7. If a change control committee exists, does someone in the group represent security? Guidance: Many changes will have security implications. As security is something that is often overlooked, a security representative on the change control committee helps ensure that the security impact of changes is considered during the change review process. Risk: If the change control committee does not include security representation, a risk exists that security will not be considered when reviewing changes. This could result in security vulnerabilities being introduced into the production environment. 8. Are there specific change control windows when changes are made? Is this enforced? Guidance: To bring some discipline into the change process, changes should occur during regularly scheduled change-control windows. These windows of time should occur when the potential impact to users is minimal. This is especially important when changes may cause systems to be unavailable for an extended period. In these cases, end users should be informed prior to making changes. The advantage of having change-control windows is that they allow departments to plan for changes and for a formal and structured process to review changes. Risk: Without regularly scheduled change-control windows, a risk exists of changes being made in a manner that can be disruptive to users. In addition, the lack of change-control windows can result in users not properly planning changes and trying to force changes through an emergency process.

9. How are emergency changes handled? Guidance: In any environment, some changes will occur that are truly emergencies i.e., they must be made immediately. The need to make these changes quickly must be balanced with ensuring that all relevant impacts of the changes are considered. In these cases, there should be an emergency change process, which still ensures that the change management process is followed just in an accelerated manner. Appropriate personnel should review and approve changes, and there should be an audit trail of what changes were made. To help users determine what changes are emergencies, the change management policy or procedure should contain guidelines for what constitutes an emergency change so users know what is and is not an emergency. Risk: Without a process for emergency changes, a risk exists that critical changes will not be implemented in production on a timely basis. In addition, untested and unapproved changes may be introduced into the production environment. 10. Who can initiate a change? Is there an list of people or roles authorized to initiate a change? Guidance: To ensure that only reasonable changes are considered, there should be some limitations on who can initiate and present changes to the larger group i.e., a central group of people who are responsible for managing the change process. The members of the change-control committee have other jobs, and their time should not be wasted with reviewing changes that have not gone through any initial screening. This takes time away from discussing the meaningful change requests. One way to limit who can initiate changes is to restrict it to certain titles e.g., only managers and above can initiate changes. Other methods include having departmental level management doing the initial screening of change requests. Risk: The risk of not limiting who can make changes is that trivial or wrong changes might be submitted for review. As a result, meaningful changes will not receive the appropriate time for discussion.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information