Page 276 - ITGC_Audit Guides
P. 276

   Orchestration change tools – these perform functions including code promotion between
                       environments, server provisioning, and automated patch deployment.

                   When selecting and using a tool to assist in the change management process, management
                   should understand the capabilities, functionalities, and limitations of each tool. Risks are
                   commonly introduced when multiple tools are used with multiple interfaces, separate tools are
                   used for different types of changes, and tools are managed across diverse and/or multiple
                   geographic locations


                   Continuous Evaluation and Improvement

                   Change management is an evolutionary process, and each organization’s progression along the
                   spectrum of maturity is unique. Many factors affect the organization’s position, trajectory, and rate
                   of progress. Organizations should evaluate and improve change management processes on a
                   consistent basis to keep up with technology and the global environment as much as possible.

                   Care should be taken, however, when introducing a new change management program or
                   updating an existing one. Changes that are poorly designed and implemented may result in
                   unnecessary expenditures and unplanned/emergency work to minimize any negative impacts.
                   Progressing to another maturity level is less important than the quality and integrity of the process
                   to get there.

                   Management’s Controls

                   Effective change management requires proper governance (including IT governance), which
                   includes developing, documenting, and enforcing change policies and ensuring employees are
                   continually trained. It also includes controls to ensure all changes are authorized and auditable
                   and that unauthorized changes are investigated.
                   Preventive controls include segregation of roles/duties and change authorization. In addition,
                   detective controls should be in place to effectively monitor the production environment for
                   changes, to reconcile these changes to approvals, and report unauthorized variances. Change
                   management controls can also be corrective during outages and service impairments, allowing
                   change to be ruled out first in the repair cycle and thereby reducing repair time.

                   Effective Change Management


                   Change management has an impact on the entire organization, and therefore management
                   should be aware of the positive and negative effects that can occur when designing and
                   implementing a strategy. To be effective, change management processes should cover:

                      What is being changed, why it is being changed, and when it is being changed.

                      Whether the change is properly authorized based on specific criteria.
                      Who requested the change.
                      Who is responsible for performing the change.

                      Who is responsible for validating the change.
                      How efficiently and effectively changes are implemented.



                   13 — theiia.org
   271   272   273   274   275   276   277   278   279   280   281