IT Change Management — IT Certificate

              Allocate more resources to initiatives that help achieve business goals and fewer to unplanned
               work or “putting out fires.”

              Reduce system vulnerability and experience less downtime.


              Install patches with minimum disruption.

              Ensure scripts/bots are operating effectively and monitored properly.


            Quite simply, if the change management process is effective, the organization may realize significant
            cost savings.

            High-performing organizations generally have a positive outlook on controls. For example, effective
            change management processes may result in fewer issues being highlighted by external auditors,
            regulators, or equivalent authorities. As a result, the organization may have a more satisfied board,
            resulting in less pressure on IT management and ultimately, a more satisfied staff and lower
            turnover.

            Change management focuses on managerial and human processes, supported by technical and
            automated controls. Organizations increase their success by enabling effective business conduct
            with change management controls. Employees also have access to better tools, thus allowing
            customers to enjoy systems that meet their needs.

            Types of Change

            Changes may be categorized in many ways, but should generally be grouped together by timing,
            urgency, and/or level of perceived risk. Types of change include:
              Regular changes — typically application, middleware, operating system, or network software
               and hardware upgrades scheduled for implementation.
              Emergency changes — to correct immediate issues that cause service disruption.
              Preapproved changes — regularly or frequently occurring, lower risk changes that a change
               approval board (CAB) or other appropriate approver has authorized for implementation.
              Blanket changes — typically a master ticket created as needed (e.g., monthly, quarterly) to
               record a group of changes, such as router configuration changes, firewall rule updates, and
               sometimes Microsoft monthly patches.
              Automation "bot-driven" changes — processes that promote automated software changes,
               including patches from one environment to another.

            Software Vendors and Updates

            Software vendors, like Microsoft and Oracle, typically notify users of pending changes to their
            products, and it is incumbent upon those users to incorporate recommended patches into the
            production and other environments with as little organizational disruption as possible. However,
            many vendors now “push” or automatically (and proactively) implement patches without requiring
            or involving an organizational request, initiation, or other intervention.

            Copyright © 2020 by The Institute of Internal Auditors, Inc. All rights reserved.