Page 18 - Courses
P. 18
IT Change Management — IT Certificate
Business Justification, Approvals, and Authorizations
Once the justifications are complete, the requestor (business owner) approves the change request
and the associated documents for submission to the CAB for consideration. After the approvals are
obtained, the change request needs to be authorized. This involves:
Authorizing, rejecting, or requesting additional information about the change request.
Prioritizing the change request with respect to other pending changes.
Schedule, Coordinate, Test, and Implement the Change
Scheduling, coordinating, testing and implementing the change will likely be the most time
consuming steps in the change management process. Scheduling includes several tasks that may
have varying levels of complexity depending on the source, type, and scope of change. Scheduling
and coordinating encompasses:
Scheduling and assigning a change implementer.
Scheduling and assigning a change tester.
Communicating the change to stakeholders who may be affected.
Interview with Auditor and CSO: Network Protection
Testing the change encompasses:
Testing the change in a preproduction environment.
Implementing the change encompasses:
Implementing the change as requested (may require a release ticket for software).
Change and Implementation Schedule
To assess and report the status of changes continually, management should publish a change
schedule that lists all approved changes, as well as planned implementation dates. In alignment
with the organization’s change management process, proposed changes should go before a CAB,
which is comprised of business and IT leaders from the organization. Once the changes have been
approved, an implementation schedule should be created, published, and updated regularly. This
process helps provide the information and assurance required to track all changes in their various
states of completion.
Patch Schedule
Applying patches in a timely manner (once released by a vendor) is key to avoiding risks posed to an
organization’s system and its critical data. Organizations that have a well-defined and understood
patching process will be more efficient and timely in applying patches. An effective patching process
should include a patch release schedule of major vendors, a way to be aware of vendor pushes, clear
roles and guidelines to prioritize security vulnerabilities, and defined acceptable timeframes to
apply patches as informed by a risk assessment.
Copyright © 2020 by The Institute of Internal Auditors, Inc. All rights reserved.