Skip to content

Page314

Change Management

As stated above, system, network, and application changes are required. A system that does not change will become less secure over time, as security updates and patches are not applied. In order to maintain consistent and known operational security, a regimented change management or change control process needs to be followed. The purpose of the change control process is to understand, communicate, and document any changes with the primary goal of being able to understand, control, and avoid direct or indirect negative impacts that the changes might impose. The overall change management process has phases, the implementation of which will vary to some degree within each organization. Typically, there is a change control board that oversees and coordinates the change control process. The change control board should include not only members of the Information Technology team, but also members from business units.

The intended change must first be introduced or proposed to the change control board. The change control board then gathers and documents sufficient details about the change to attempt to understand the implications. The person or group proposing the change should attempt to supply information about any potential negative impacts that might result from the change, as well as any negative impacts that could result from not implementing the change. Ultimately, the decision to implement the change, and the timeliness of this implementation, will be driven by principles of risk and cost management. Therefore, details related to the organizational risk associated with both enacting or delaying the change must be brought to the attention of the change control board. Another risk-based consideration is whether or not the change can be easily reversed should unforeseen impacts be greater than anticipated. Many organizations will require a rollback plan, which is sometimes also known as a backout plan. This plan will attempt to detail the procedures for reversing the change should that be deemed necessary.

If the change control board finds that the change is warranted, then a schedule for testing and implementing the change will be agreed upon. The schedule should take into account other changes and projects impacting the organization and its resources. Associated with the scheduling of the change implementation is the notification process that informs all departments impacted by the change. The next phase of the change management process will involve the testing and subsequent implementation of the change. Once implemented, a report should be provided back to the change control board detailing the implementation, and whether or not the change was successfully implemented according to plan.

Change management is not an exact science, nor is the prescribed approach a perfect fit for either all organizations or all changes. In addition to each organization having a slightly different take on the change management process, there will also likely be particular changes that warrant deviation from the organizational norm either because the change is either more or less significant than typical changes. For instance, managing the change associated with a small patch could well be handled differently than a major service pack installation. Because of the variability of the change management process, specific named phases have not been offered in this section. However, the general flow of the change management process includes:

  • Identifying a change
  • Proposing a change
  • Assessing the risk associated with the change
  • Testing the change
  • Scheduling the change
  • Notifying impacted parties of the change
  • Implementing the change
  • Reporting results of the change implementation

All changes must be closely tracked and auditable. A detailed change record should be kept. Some changes can destabilize systems or cause other problems; change management auditing allows operations staff to investigate recent changes in the event of an outage or problem. Audit records also allow auditors to verify that change management policies and procedures have been followed.