Page 278 - ITGC_Audit Guides
P. 278

   Allocate more resources on initiatives that help achieve business goals and fewer on
                       unplanned work.
                      Reduce system vulnerability and experience less downtime.

                      Install patches with minimum disruption.
                      Be proactive and focus on improvements rather than “putting out fires.”
                      Ensure scripts/bots are operating effectively and monitored properly.

                   Quite simply, if the change management process is effective, the organization may realize
                   significant cost savings.

                   High-performing organizations generally have a positive outlook on controls. For example,
                   effective change management processes may result in fewer issues being highlighted by external
                   auditors, regulators, or equivalent authorities. As a result, the organization may have a more
                   satisfied board, resulting in less pressure on IT management and ultimately a more satisfied staff
                   and lower turnover.

                   Change management hinges on processes with a managerial and human focus, supported by
                   technical and automated controls. Ultimately, organizations that treat change management
                   controls as enablers for effective business conduct are more successful. Employees have access
                   to better tools to boost productivity, and customers enjoy systems that meet their needs.

                   Benchmarking Effective Change Management


                   Indicators of effective change management may appear as a feature of maturity (e.g., predictable,
                   repeatable, managed, measurable, and measured). Appendix E, “Characteristics of Effective and
                   Ineffective Change Management Processes,” explores these maturity indicators as they relate to
                   several organizational dimensions, including market, client/customer/stakeholder, enterprise, and
                   IT infrastructure.

                   Patches

                   As previously described, patches are changes to a computer program designed to address a
                   security vulnerability or an operational deficiency or to add new features between releases.
                   Typically, vendors of commercially available software announce patches on their websites.
                   Additionally, patches correcting security vulnerabilities can be found on both the United States
                                                                                                       2,3
                   Department of Homeland Security website and on the National Vulnerabilities Database (NVD).
                   An organization may deploy patches manually or through a patch deployment or orchestration
                   tool and/or by one or more third parties. Organizations should ensure contracts with third parties
                   adequately address patch management, including patch-related communication, and are tied to
                   service-level agreements (SLAs).

                   Despite the potential urgency attached to applying software patches, patch deployment ideally
                   belongs in preproduction processes where patches can be tested adequately in a staging or
                   “sandbox” environment. Ideally, patches are deployed as part of a scheduled patch management


                   2   CISA Cyber+Infrastructure, Department of Homeland Security, us-cert.gov, accessed on January 7, 2020.
                   3   National Vulnerability Database, NIST, https://nvd.nist.gov/.


                   15 — theiia.org
   273   274   275   276   277   278   279   280   281   282   283