Page 269 - ITGC_Audit Guides
P. 269

Patches as Part of the Change-Management Process

                   Patches are changes to a computer program designed to address a security vulnerability, an
                   operational deficiency, or to add new or upgraded features between software releases. They may
                   repair vulnerabilities or other defective code unintentionally occurring in the production
                   environment.
                   Typically, software vendors notify users of pending changes, and it is incumbent on those users
                   to incorporate patches into the change management process with as little organizational
                   disruption as possible. However, many vendors now “push” or automatically (and proactively)
                   implement patches without requiring or involving an organizational request, initiation, or other
                   intervention.

                   In the context of this document, patches are treated as a category or class of change that is
                   subject to the company’s normal change management process.

                   Risks Related to Change Management

                   General Risks

                   A poor change management program may expose the organization to many risks, including
                   unauthorized or unrecorded changes being applied, system or application failure/downtime,
                   security issues, inefficient business processes, inconsistent results, and even misstated reports
                   and financial statements

                   In addition, inefficient or ineffective change management can cost an organization through:

                      Failure to achieve business objectives.
                      Control deficiencies that may result in inconsistent compliance or negative audit results.
                      Attrition of highly qualified IT staff due to frustration over low-quality results.
                      Poor quality systems that can hinder employee productivity or frustrate customers.

                      Missed opportunities to provide innovative or more efficient products and services to
                       customers.

                      Outages and unplanned work.
                      Failure to conduct a threat analysis or test and implement necessary patches, which can
                       introduce new critical security vulnerabilities or reintroduce prior vulnerabilities.
                      Failure to properly engage the organization in the change advisory board (CAB)/change
                       approval process, which increases the chance that change could impact the completion of a
                       critical business activity.
                      System changes that do not meet process owner needs, resulting in processing errors, lost
                       time due to rework, and other negative outcomes.
                      Slow information processing or instability in system operations.

                   Patch-related Risks
                   Patches tend to affect many critical systems libraries and other software used by application
                   programs. Patches can be large and/or complex changes, and often are intended to correct



                   6 — theiia.org
   264   265   266   267   268   269   270   271   272   273   274