Page 10 - Courses
P. 10
IT Change Management — IT Certificate
However, not patching in a timely fashion increases the organization’s exposure to potential security
incidents.
According to Richard Melick’s, “Mean Time to Hardening: The Next-Gen Security Metric” Threat Post
(December 2019), “Given that the average time to weaponizing a new bug is seven days, you
effectively have 72 hours to harden your systems before you will see new exploits. On average, it
takes an organization 15 times longer to close a vulnerability than it does for attackers to weaponize
and exploit one. Seven days to weaponize and 102 days to patch!”
Source: https://threatpost.com/mean-time-hardening-next-gen-security-metric/151402/ (accessed
April 14, 2020)
Even the successful deployment of a patch can cause unintended problems, such as servers
becoming nonfunctional and unavailable to deliver critical services.
Organizations with effective patching functions will likely treat a new patch as a predictable and
planned change. New patches are subject to the normal change management process unless rated a
six or higher; then the emergency change process will be followed. Normally, a new patch is added
to the queue to be evaluated, tested, and integrated into a scheduled release deployment.
Emergency changes for critical patches still require evaluation and testing before deployment.
Following a well-defined process for integrating patches leads to a much higher change success rate.
TOPIC 2: IT CHANGE MANAGEMENT GOVERNANCE, RISKS, AND CONTROLS
IT Change Management Governance, Risks, and Controls
IT change management has an impact on the entire organization, and therefore management
should be aware of the positive and negative effects that can occur when designing and
implementing a strategy.
Effective IT change management requires proper governance (including IT governance), which
includes developing, documenting, and enforcing change policies, and ensuring employees are
continually trained.
Governance — Management and the Board
IT change management is no longer the responsibility of IT management only. An organization’s
entire senior management team should be accountable for managing risks to levels that enable the
achievement of the organization’s objectives; and the organization’s board, in turn, is responsible
for holding management accountable.
IT change management has an impact on the entire organization, and therefore management
should be aware of the positive and negative effects that can occur when designing and
implementing a strategy.
Copyright © 2020 by The Institute of Internal Auditors, Inc. All rights reserved.
