Page 18 - Courses
P. 18

IT Change Management — IT Certificate

            Business Justification, Approvals, and Authorizations

            Once the justifications are complete, the requestor (business owner) approves the change request
            and the associated documents for submission to the CAB for consideration. After the approvals are
            obtained, the change request needs to be authorized. This involves:
                 Authorizing, rejecting, or requesting additional information about the change request.
                 Prioritizing the change request with respect to other pending changes.

            Schedule, Coordinate, Test, and Implement the Change

            Scheduling, coordinating, testing and implementing the change will likely be the most time
            consuming steps in the change management process. Scheduling includes several tasks that may
            have varying levels of complexity depending on the source, type, and scope of change. Scheduling
            and coordinating encompasses:
              Scheduling and assigning a change implementer.
              Scheduling and assigning a change tester.
              Communicating the change to stakeholders who may be affected.

            Interview with Auditor and CSO: Network Protection

            Testing the change encompasses:
              Testing the change in a preproduction environment.

            Implementing the change encompasses:
              Implementing the change as requested (may require a release ticket for software).

            Change and Implementation Schedule

            To assess and report the status of changes continually, management should publish a change
            schedule that lists all approved changes, as well as planned implementation dates. In alignment
            with the organization’s change management process, proposed changes should go before a CAB,
            which is comprised of business and IT leaders from the organization. Once the changes have been
            approved, an implementation schedule should be created, published, and updated regularly. This
            process helps provide the information and assurance required to track all changes in their various
            states of completion.

            Patch Schedule

            Applying patches in a timely manner (once released by a vendor) is key to avoiding risks posed to an
            organization’s system and its critical data. Organizations that have a well-defined and understood
            patching process will be more efficient and timely in applying patches. An effective patching process
            should include a patch release schedule of major vendors, a way to be aware of vendor pushes, clear
            roles and guidelines to prioritize security vulnerabilities, and defined acceptable timeframes to
            apply patches as informed by a risk assessment.


            Copyright © 2020 by The Institute of Internal Auditors, Inc. All rights reserved.
   13   14   15   16   17   18   19   20   21   22   23