Standardized methods and procedures within a change management structure support effective
                   and efficient handling of changes through each environment and minimize the impact of change-
                   related incidents on service quality and availability. To protect the production environment,
                   changes should be managed in a repeatable, defined, and predictable manner. Care should be
                   taken to ensure changes made to correct one application, server, or network device do not have
                   unintended consequences on other devices or applications. This is especially important for IT
                   assets (e.g., software, hardware, and information) supporting the organization’s critical business
                   processes and data repositories.

                   Types of Change


                   Changes may be categorized in many ways, but generally should be grouped together by timing,
                   urgency, and/or levels of perceived risk. In addition to patches, other types of change that may
                   occur include:

                      Regular changes – typically application, middleware, operating system, or network software
                       and hardware upgrades scheduled for implementation.
                      Emergency changes – to correct immediate issues that cause service disruption.
                      Preapproved changes – regularly or frequently occurring, lower risk changes that a CAB or
                       other appropriate approver has authorized for implementation.
                      Blanket changes – typically a master ticket is created as needed (e.g., monthly, quarterly) to
                       record a group of changes, such as router configuration changes, firewall rule updates, and
                       sometimes Microsoft monthly patches.
                      Automation "bot-driven" changes – processes built into a tool that automatically promote
                       software changes, including patches, from one environment to another without the need for
                       additional human intervention.

                   Sources of Change

                   Virtually every business decision will initiate a change in the IT environment. Sources of change
                   that should be addressed and managed effectively include:

                      External environment (e.g., competitive market, stakeholders/shareholders, changing risks,
                       geopolitical events).

                      Regulatory environment (e.g., developing new reporting capabilities to comply with new or
                       updated regulations).

                      Modifications or updates to business risks, objectives, goals, strategies, requirements,
                       processes, and shifts in priorities.
                      Upgrades.
                      Patches.

                      New products, vendors, partners, or suppliers.
                      Identified vulnerabilities.
                      Results of an audit, risk assessment, and other type of evaluation or assessment.
                      Corrections to operational issues.



                   10 — theiia.org