Risk-Based IT Change Management



Similar documents
Get Confidence in Mission Security with IV&V Information Assurance

Guidelines 1 on Information Technology Security

Risk-Based Assessment and Scoping of IV&V Work Related to Information Assurance Presented by Joelle Spagnuolo-Loretta, Richard Brockway, John C.

GAO. Year 2000 Computing Crisis: Business Continuity and Contingency Planning

CA CMDB Connector for z/os version 2.0

Internal Audit Report ITS CHANGE MANAGEMENT PROCESS. Report No. SC-11-11

Guidance on Risk Analysis Requirements under the HIPAA Security Rule

Your Software Quality is Our Business. INDEPENDENT VERIFICATION AND VALIDATION (IV&V) WHITE PAPER Prepared by Adnet, Inc.

CA Configuration Management Database (CMDB)

ITIL V3 Application Support Volume 1

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

White Paper Case Study: How Collaboration Platforms Support the ITIL Best Practices Standard

Negotiating Vendor Contracts. Key Initiative Overview

Army Regulation Product Assurance. Army Quality Program. Headquarters Department of the Army Washington, DC 25 February 2014 UNCLASSIFIED

Practical IT Service Management: Rapid ITIL Without Compromise

Configuration Management System:

BEYOND DIAGRAMS AND SPREADSHEETS DATA CENTER INFRASTRUCTURE MANAGEMENT (DCIM)

How Cisco IT Uses Software Configuration Management to Minimize Business Risk

Security Vulnerabilities and Patches Explained IT Security Bulletin for the Government of Canada

PORTFOLIO, PROGRAMME & PROJECT MANAGEMENT MATURITY MODEL (P3M3)

Protecting Business Information With A SharePoint Data Governance Model. TITUS White Paper

OCC 98-3 OCC BULLETIN

VA Office of Inspector General

Science/Safeguards and Security. Funding Profile by Subprogram

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

Why Should Companies Take a Closer Look at Business Continuity Planning?

UF Risk IT Assessment Guidelines

Dealer Member Cyber-security

Guideline on Vulnerability and Patch Management

Problem Management Overview HDI Capital Area Chapter September 16, 2009 Hugo Mendoza, Column Technologies

Integrating Physical Protection and Cyber Security Vulnerability Assessments

CHAPTER 7 Software Configuration Management

SACM and CMDB Strategy and Roadmap. David Lowe ActionableITSM.com March 20, 2012

Wilhelmenia Ravenell IT Manager Eli Lilly and Company

Systems Development Life Cycle (SDLC)

Software Asset Management on System z

Baldrige Excellence Builder

Maximize the synergies between ITIL and DevOps

Customer Relationship Management Software Package G-Cloud Service Definition

Technology Lifecycle Management. A Model for Enabling Systematic Budgeting and Administration of Government Technology Programs

INTRODUCTION. This book offers a systematic, ten-step approach, from the decision to validate to

Confidence in the Cloud Five Ways to Capitalize with Symantec

Q: What is CVSS? Q: Who developed CVSS?

Address IT costs and streamline operations with IBM service desk and asset management.

IG ISCM MATURITY MODEL FOR FY 2015 FISMA FOR OFFICIAL USE ONLY

The Software Supply Chain Integrity Framework. Defining Risks and Responsibilities for Securing Software in the Global Supply Chain.

Network Configuration Management

Spreading the Word on Nuclear Cyber Security

Datacenter Migration Think, Plan, Execute

Managing successful change: IT service transformation at HMRC. AXELOS.com. The Stationery Office 2012

TDWI strives to provide course books that are content-rich and that serve as useful reference documents after a class has ended.

ITSM 101. Patrick Connelly and Sandeep Narang. Gartner.

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES

Office of Inspector General

14 TRUTHS: How To Prepare For, Select, Implement And Optimize Your ERP Solution

HITRUST CSF Assurance Program

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

Basel Committee on Banking Supervision. Working Paper No. 17

Creating and Maturing a Service Catalog

How To Create A Help Desk For A System Center System Manager

Development, Acquisition, Implementation, and Maintenance of Application Systems

Virginia Commonwealth University School of Medicine Information Security Standard

Baldrige Core Values and Concepts Customer-Driven Excellence Visionary Leadership

DRAFT RESEARCH SUPPORT BUILDING AND INFRASTRUCTURE MODERNIZATION RISK MANAGEMENT PLAN. April 2009 SLAC I

The Asset Management Landscape

Change Management Policy

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

University Hospitals. May 2010

IT Service Management

Risk Management Primer

ITIL in the Cloud. Vernon Lloyd.

Strategic Plan for the Enterprise Portfolio Project Management Office Governors Office of Information Technology... Ron Huston Director

The Power of Risk, Compliance & Security Management in SAP S/4HANA

From Chaos to Clarity: Embedding Security into the SDLC

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Business Continuity Planning (800)

Security Patch Management

The purpose of this document is to define the Change Management policies for use across UIT.

Architecting enterprise BPM systems for optimal agility

Information Technology Infrastructure Library (ITIL )

DOE O 226.1A, IMPLEMENTATION OF DEPARTMENT OF ENERGY OVERSIGHT POLICY CONTRACTOR ASSURANCE SYSTEMS CRITERIA ATTACHMENT 1, APPENDIX A

Dell s SMART Approach to Workload Automation

Specific observations and recommendations that were discussed with campus management are presented in detail below.

building a business case for governance, risk and compliance

Subject: Information Technology Configuration Management Manual

Help for the Developers of Control System Cyber Security Standards

5 Steps to Choosing the Right BPM Suite

Baseline Change Control Procedure

Root Cause Analysis Concepts and Best Practices for IT Problem Managers

Demand-Driven Customer Experience Management: Solutions for US Healthcare Payers

ITIL Event Management in the Cloud

Transcription:

PNNL-SA-54320 Application for The Northwest Academic Computing Consortium Joanne R. Hugi Excellence Award Risk-Based IT Change Management Pacific Northwest National Laboratory IT Services Division Abstract: In organizations without a formal information technology (IT) change management process, it is estimated that 80% of IT service outage problems are caused by updates and alterations to systems, applications, and infrastructure. Consequently, one of the first areas to address to improve service reliability is to track all changes and systematically manage change with full knowledge of the risks of the change and the potential organizational impact. While tracking change events is fairly well understood and is a common practice, consistently and reliably predicting the impact of change requires a disciplined, standards-based approach to assessing risk and likelihood of impact, a technique not usually found in off-the-shelf change tracking tools. The Pacific Northwest National Laboratory (PNNL) has deployed a method and software tool to assess and track the impact of infrastructure and application changes as part of a formal release management process. The approach evolved from the experience gained from years of formal change management, as well as the influence of standards and the inspiration of service management process benchmarks such as ITIL. Unique to PNNL s process is a graded approach to change control based on intuitive assessments of risk and impact. Description of the Practice: PNNL IT Change Management Process Overview Change Management is an essential part of the overall process to ensure the reliable delivery of information technology services. The PNNL infrastructure consists of over 2,400 highly interdependent applications, devices, and service functions (excluding thousands more user workstations and research project-specific devices and applications). The complexity of the infrastructure increases the difficulty of providing reliable services; change management becomes the pivotal element to manage these resources effectively. PNNL s approach to managing infrastructure changes focuses on controlling the integrity of information systems and resources, including all network devices, computer systems, applications, and databases in the infrastructure. To accomplish this, the change management process tracks all changes and requires reviews and approvals commensurate with the potential impact of the change. To promote thorough consideration of change impact prior to instituting the change, the process is integrated with the PNNL systems and software development lifecycle: change risks are considered before systems are built and tested (Figure 1). Modifications to the change release plan during the build and test phases are allowed, but the plan will be reviewed before implementation is approved. After implementation, a release status report records the success of the change, permitting self-assessment of change effectiveness. - 1 -

Figure 1. Integration of change management into PNNL s system development lifecycle process. Looking at System Criticality and Change Risks PNNL s approach differs from many formal IT change approval and tracking methods because it utilizes a standards-based approach to determine and address the risks of changes. Joined with an evaluation of the changed system s criticality to the overall enterprise, the resultant composite risk assessment prescribes mitigation requirements and strategies to be used when the change is implemented. By consistently evaluating system criticality and change risk, the Laboratory is assured of more reliable IT services since all known issues dealing with risk mitigation will be addressed with each proposed change. The process tracks the risk assessments, records change request approvals, and captures change implementation lessons-learned information that is used to influence reduce the impact of future changes. The automated process for determining composite risk assessment is broken into two standardized evaluations: the organizational criticality of the system to be changed and the likelihood of adverse impact resulting from the change. First, on an annual basis, the criticality of the system is appraised in order to establish its relative value to the enterprise. The standardized criteria for this assessment are: Number of users that could be impacted by a service interruption Financial impact of an extended service outage or unrecoverable loss of data Likelihood that a system/service failure could result in: Disclosure of sensitive information that needs to be protected Misuse of client-owned resources Malicious interruption of services or research operations - 2 -

Possibility that a system/service failure could result in an event or condition that may have adverse safety, health, security, operational, environmental, or mission implication Potential future impacts based on prior system/service interruption experiences Secondly, when a change is proposed, each request is graded against the following criteria: How many users will be visibly affected by the proposed change? What is the anticipated difficulty for user and support personnel to learn the new or modified system/service? What is the stability and supportability of the technology or vendor products utilized by the system? In the event the change implementation fails or adversely impacts other systems or services, what will be the impact of executing the implementation contingency plan? Based upon past experience, what is the likelihood of failure or adverse problems resulting from the change? The criticality appraisal blends with the change risk evaluation to produce a composite risk assessment that is used to pre-populate an automated release plan that guides the implementation of the change ( Figure 2). Depending on the level of the composite risk, requirements of the release plan such as testing rigor and end-user communications are strengthened to mitigate higher levels of risk. Conversely, a lower risk score results in a reduced scope of change implementation requirements. Likelihood of Impact High Medium Low (Activity-Based) Composite Risk Assessment Risk and Impact of Change Organizational Criticality (Yearly Assessment) Business Essential Potentially Business Essential Not Business Essential High Medium Low Figure 2. Combining organizational criticality and change risks. - 3 -

Automating the Process The change request and change risk assessment process is conducted through an automated system that tracks and records reviews and approvals. The keystone to the automated system is PNNL s Information Resource Inventory (IRI), a custom built, web-based configuration management database. PNNL had invested in the IRI well before automating our change management process. The IRI was seen as a keystone not only to this process, but others such as establishing and managing service level agreements, resource and application cost reporting, cyber security compliance tracking, property administration, business continuity, and customer relationship management. To support change management, the IRI contains system criticality information as well as owner, operational contact, and service function information. In the future, the central configuration management database will provide system interdependency information critical to determining change impact of the Laboratory s highly interconnected systems and services. The change request form (Figure 3) is used to the assess risk of the change through a consistent and objective set of questions, and to document the release plan, covering topics such as communications, training needs, ongoing operational support requirements, and release contingency plans. The form was implemented using Microsoft InfoPath. Change forms are stored and managed in a Microsoft SharePointbased document repository. Using these tools, PNNL developers were able to deploy the new system in 12 person-weeks, and have been able to easily and quickly modify the forms as we ve evolved our process through experience. Process Success Factors The PNNL change management practice combines the composite risk assessment method with an automated process for proposing the change, obtaining approval, and recording post-implementation lessons learned. The overall process met critical success factors for the deployment of changes into the organization s crucial IT infrastructure. The success factors were: Implementing changes is a repeatable process. Changes are made quickly and accurately, driven by business needs. Services are protected when changes are made to optimize risk exposure. Utilizing the process delivers efficiency and effectiveness benefits. By prescribing a consistent approach to evaluate change risk, the overall change review cycle is shortened. Prior to this method, 35% to 50% of all proposed changes required Change Management Board (CMB) approval, a face-to-face presentation and discussion where the change proposal author was subjected to questions from infrastructure leadership and system owners concerned about change impact. In this forum, the questions were seldom consistent; occasionally key issues were not effectively addressed as a result. The risk-based process now provides the missing consistency and allows many change requests to be reviewed and approved outside of the traditional, once-a-week CMB meeting. The number of proposals requiring full board review and approval has dropped to 6.5% of all proposed changes, improving approval cycle time accordingly. Many change requests that used to require the author to wait a week for the next CMB meeting are now approved the same day as the submittal. Additionally, the risk-based change process is moving the overall IT organization s service delivery maturity from reactive actions to those that are well defined and repeatable (Figure 4). The standardized approach to assessing risk and tracking change release assures repeatability. Self-assessment after change completion will assist the organization to more accurately predict change risk and impact, eventually leading to managing the risk of change when systems are built, rather than after they are deployed. - 4 -

Figure 3. The Change Request form. - 5 -

Service Management Process Maturity Framework 1 5 Optimized 4 Managed 3 Defined 2 Repeatable 1 Initial Figure 4. The Service Management Process Maturity Framework is a useful tool for evaluating IT service delivery method development effectiveness and for benchmarking against industry best practices. ( 1 Office of Government Commerce, ITIL Best Practice for Planning to Implement Service Management, p. 44.) Responses to Evaluation Criteria: Innovation The change approval and tracking methods utilize a standards-based approach to determine and address the risks of changes. The change risk assessment is tightly integrated with the central configuration management database that assesses, records, and applies the system s organizational value to the determination of risk and resultant release plan. Benefits The Laboratory is now assured of more reliable IT services because system criticality and change risk assessments are standardized, encompass known issues, and evolve as experience matures. Change implementation impacts are known before systems are built and tested because the change management process is integrated with a standard systems and software development lifecycle. The overall change review cycle has shortened significantly since there is a high level of confidence that change impact issues are properly and consistently evaluated. Committee review and approval of change requests dropped by more than a factor of five. Most requests are now approved the same day rather than collecting and reviewing weekly. Overall service delivery improved and is better defined and more repeatable. Self-assessment after change completion contributed to evolution of the change risk assessment as well as improvements to the overall change management process. - 6 -

Replicability This process is applicable to any organization managing change of its IT infrastructure devices, systems, and services. A versatile, central configuration management database is an essential element of this process, used for measuring and recording overall risk and impact to the enterprise. Costs Process administrative costs remain approximately the same, but higher reliability and shorter approval cycle times has benefited Laboratory productivity. Links: None. Principle Contact: Jan E. Goolsbey Jan.Goolsbey@pnl.gov (509) 375-2018 Other Key Contributors: Frank Carr Frank.Carr@pnl.gov (509) 375-2119 Wendy D. VanArsdale Wendy.VanArsdale@pnl.gov (509) 375-6419 - 7 -

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information