Page 296 - ITGC_Audit Guides
P. 296

Table E.3 (continued)

                    Infrastructure Level
                    Effective
                           A culture of change management is perpetuated by a combination of tone at the top and preventive,
                           detective, and corrective controls, which serve to deter future unauthorized changes.
                           Management explicitly states that the only acceptable number of unauthorized changes is “zero.”
                           A high change success rate is present, resulting in the absence of, or at least minimal, unplanned work. The
                           absence of urgency and a well-defined process for integrating changes lead to a higher change success
                           rate.
                           Effective change controls are in place, regularly reported, and easily audited. Preventive controls are well
                           documented and consistently executed, and detective controls are used to supervise, monitor, and reconcile
                           changes to authorized change orders.

                           Controls are conducive to substantive sampling by auditors.
                           Variances in production configurations are detected early.
                           Higher service levels (e.g., high availability/uptime/mean time between failures; low mean time to detect
                           problems/incidents; and low mean time to repair).
                           IT demonstrates efficient cost structures.
                           IT quickly identifies and resolves operational problems, including security incidents.
                           IT quickly returns to a known, reliable, trusted operational state when problems arise with a new change or
                           configuration.
                           Patches are implemented in a planned, predictable manner and are subject to the same analysis and
                           process as other changes.

                           Critical patches are added to the release engineering candidate queue where they are evaluated, tested, and
                           integrated into an already-scheduled release deployment.
                           Preventive and detective controls are automated.

                    Ineffective
                           Ad hoc, chaotic, urgent behavior requires regular intervention of technical experts.
                           A high percentage of time is spent in “firefighting” mode on reactive tasks.

                           Inability to track changes, report on change status and costs, and there are unauthorized changes.
                           Resources are spent on unplanned work at the expense of planned work.
                           Numerous undocumented changes.
                           Ineffective IT interfaces with peers (e.g., R&D, application developers, auditing, security, and operations)
                           create barriers and introduce unnecessary delays.

















                   33 — theiia.org
   291   292   293   294   295   296   297   298   299   300   301