250 likes | 516 Views
Chapter 12: Change Management. MBAD 7090. Objectives. Understand change management Organizational change management IT change management Change management system. Overview.
E N D
Chapter 12: Change Management MBAD 7090 IS Security, Audit, and Control (Dr. Zhao)
Objectives Understand change management Organizational change management IT change management Change management system IS Security, Audit, and Control (Dr. Zhao)
Overview The purpose of change management is to minimize the likelihood of disruption, unapproved changes, as well as errors. A change management process is one that consists of analysis, implementation and review of all changes IS Security, Audit, and Control (Dr. Zhao)
Organizational Change • It is critical for an organization to adopt, manage, and adapt to change. • The ability depends on people, organization, and culture. • Communicate expectations • Organizational cultures: • Incentives • Company Politics • Organizational and Technical Support • Inter-organizational relationships and social networks • A video: what experts have said IS Security, Audit, and Control (Dr. Zhao)
From an IT Perspective • Change management is thought of in terms of changes made to the existing IT infrastructure. • However, changes affecting the organization are also a factor. • In many cases, it is the organizational changes that introduce changes to the IT infrastructure. • Change control is a specific checkpoint for IT auditors. IS Security, Audit, and Control (Dr. Zhao)
Vulnerabilities GAO found that the impact of inadequate change control in audits of federal agencies resulted in: Increased Operational costs Diminished usefulness of risk assessments and security plans Logical controls to prevent or detect unauthorized access were hard to establish Increased difficulty to monitor access, investigate apparent security violations, and implement effective security patches IS Security, Audit, and Control (Dr. Zhao)
Software Configuration Management A Frame Work for the Development and Assurance of High Integrity Software The major objectives of the software configuration management (SCM) process are to track the different versions of the software, and ensure that each version of the software contains the exact software outputs generated and approved for that version. A video IS Security, Audit, and Control (Dr. Zhao)
IT Change Management • Each change made to any component of an IT infrastructure or system within should be: • Identified • Categorized • Prioritized • Assessed for impact • Authorized • A policy example IS Security, Audit, and Control (Dr. Zhao)
Change Management Controls • Process for requesting changes. • Assessment of impact by the change. • Control process over changes. • Process for emergency changes • Revisions to documentation and procedures • Authorization of maintenance changes • Policy for new software releases • Process for distributing software IS Security, Audit, and Control (Dr. Zhao)
What Should Be Documented and Required A record of change requests is kept for each application and system. A definition for the authority and responsibility of the IT department, as well as the user. Approval by formal management once they review all the related information. A schedule for changes as well as allow for changes outside of the schedule. This allows changes made outside of the schedule to receive noteworthy management approval. A notification process should also be included in the procedures so that the requester is kept informed regarding the status of their request. IS Security, Audit, and Control (Dr. Zhao)
Emergency Changes Emergency changes, by their nature, pose increased risk since they bypass some of the formal analysis and process of the traditional change control process. As a result, audits of change control procedures should play particular attention to emergency changes. IS Security, Audit, and Control (Dr. Zhao)
Software Release Policy Appropriate backups of the system’s data and programs should be made before the change. Version control should be accounted for in the process. Version control is the manner in which the set of files associated with a version are tracked. Software releases should only be considered received from the prescribed central. A formal hand-over process is also required so that authorized personnel are involved in the process, the implemented software is unchanged from what was tested, and that software media is prepared by the appropriate function based on the formal build instructions. IS Security, Audit, and Control (Dr. Zhao)
Software Distribution Practices The software should be distributed in a timely manner to all who are authorized to receive it. A means for ensuring the verification of the integrity and that it is incorporated into the installation. A formal record of whom the software has been distributed, and where it has been implemented. This record should also match with the number of purchased licenses. IS Security, Audit, and Control (Dr. Zhao)
Change Control Software Products Examples KONFIG® Configuration Management (KONFIG CM) by Auto-trol Technology Corporation. Kintana Accelerators for Oracle, PeopleSoft, SAP and Siebel by Kintana, Inc. TurnOver™ Change Management by SoftLanding Systems, Inc. IS Security, Audit, and Control (Dr. Zhao)
Change Management Board or Committees • Change management boards or committees are common approaches to dealing with coordinating, communicating changes within an organization. • Members: • Elected Chairperson • Leads from application development/support teams (finance, human resources, etc.) • Data center operations • Networks/Telecommunications • Help Desk • Key user representatives IS Security, Audit, and Control (Dr. Zhao)
Criteria for Approving Changes State of the production environment Change level Cumulative effect of all proposed changes Resource availability Criticality IS Security, Audit, and Control (Dr. Zhao)
Post Implementation Questions Were the change procedures followed? Did the change adequately meet its objectives? Were the implementation and back out procedures were adequate? Can any problems encountered can be addressed during future planning? The status is updated to be complete, not complete, in progress, failed, and cancelled. A video IS Security, Audit, and Control (Dr. Zhao)
Class Discussion A university currently provides the ability to register for classes via a telephone registration system. However, the university is in the registration via the web. The university is evaluating whether it should discontinue the phone service or continue it once the online service is available. Q: Perform a fit-gap analysis of this scenario considering organizational/social changes as well as IT changes. IS Security, Audit, and Control (Dr. Zhao)