SlideShare a Scribd company logo

It change management

IT-Toolkits.org
IT-Toolkits.org

A change management process is a formal set of procedures and steps that are set in place to manage all changes, updates, or modifications to hardware and software (systems) across an organization. Typically, the change management process should be formalized through a management-approved policy. From an internal aud it perspective the policy should cover

Education
1 of 5
Download to read offline
Http://It-Toolkits.Org/ Phuong Thao Le 1 IT Change Management Auditors should provide assurance that the organization has a process in place to ensure that changes to the IT production environment don't disrupt business or cause security breaches. Comedian Billy Crystal once said, "Change is such hard work." In an IT environment change is particularly tricky. The implications of incorrectly implementing a change into an organization's production system environment can lead to potential security breaches and result in negative publicity or regulatory sanctions if breaches occur. Moreover, organizations that lack a change management process run a significant risk that unauthorized changes may be introduced into the production environment. A change management process is a formal set of procedures and steps that are set in place to manage all changes, updates, or modifications to hardware and software (systems) across an organization. Typically, the change management process should be formalized through a management-approved policy. From an internal aud it perspective the policy should cover:
Http://It-Toolkits.Org/ Phuong Thao Le 2 Scope of policy. The scope should detail the types of change and systems for which the policy is applicable. Authorization and approval. All major changes should be authorized by the system owner before its implementation in a live environment. The policy should identify which changes are exempt from the change management process, but the exemption should be documented and approved. Testing requirements. All changes must be tested and approved by the users/system owner before migration into the production environment. Segregation of duties. The physical act of migrating the change should be performed by an independent person. Typically, this is completed by the change and release manager. The auditor should provide assurance that a change management policy and framework are in place to ensure that all changes to production systems are managed consistently and formally. Moreover, they should ascertain whether the organization educates users of the process on the various steps. Change Management Process The purpose of the change management process is to manage the scheduling of changes with minimum disruption to IT services. The goal of the process is to implement fault-free changes with minimal business impact. A definition of a change should be specified in the process. Typically, a change is any task or action that can alter the organization's IT production environment. Step 1: Initiation A change inquiry may be initiated by a user or a nominated business representative, who usually completes a form specifying the type of change, its potential impact, and proposed date of implementation. Usually, this form is electronic and is available on an organization's intranet. The user should provide as much detail as possible to the reviewer of the change inquiry to ensure an appropriate action can be taken. During this stage of the process, the auditor should ensure that there is sufficient detail in the inquiry form to make a decision. Also, the auditor should check whether the business manager or someone in authority has supported the change inquiry.
Http://It-Toolkits.Org/ Phuong Thao Le 3 Step 2: Categorization An authorized person, usually a change manager, reviews the change inquiry and allocates a unique number that designates it as a change request. This change request number enables tracking of a specific request at any time and at any stage of the process. In many organizations a forum of senior business users meets regularly to review submitted change requests. A change management forum's decision about a change request may fall into one of three categories: Accepted. The change request has some business benefit, and it is worthwhile for further investigation or work to be undertaken. Rejected. There is no business benefit and the change request is declined. On hold/further work is needed. The forum requires further information to make a decision. Based on the change requests that have been accepted, a further categorization based on a risk assessment needs to be undertaken by the change manager and endorsed by the forum: Type A. Change impacts multiple systems and has a customer impact. There is high technical complexity. Type B. Change impacts one system and has a customer/business impact. There is a medium level of complexity. Type C. Change impacts one system and there is a low level of complexity. The auditor should ensure that all change inquiries have been assigned a unique number. Further, auditors should ascertain whether all change requests have been considered by the change management forum and whether the change manager has conducted a risk assessment. The auditor also should assess whether the forum's membership is appropriate and its roles and responsibilities are documented in a charter. Step 3: Release Decision Once a change request has been worked on and tested, it must be presented to the change management forum to ascertain whether the change can be released into the production environment. This release decision should be based on the risk assessment decision made in step 2. Before approving the release of a change, the change management forum should consider whether:
Http://It-Toolkits.Org/ Phuong Thao Le 4 All testing is complete and authorized by the appropriate parties. This should include user acceptance testing at a minimum, as well as stress and volume, regression, performance, and security vulnerability testing, if applicable. A run sheet containing roll-back and back-out procedures has been documented. All quality measures have been met. This is usually defined as part of the system development life cycle and is out of scope for the change management process. Outage impacts have been determined. This is the amount of time a system will not be available while the change is being implemented. Impacted business units/stakeholders have been informed that the system may not be available for a specified time period. Communication to users is only needed when there is a direct impact to them. System documentation has been updated. Operational teams are ready to support the change. The auditor should ensure that all change requests are approved by the forum and all documentation is in place to support the decision. Step 4: Migration It is important that the actual migration of the change is completed by a person who is independent from the development team because there is a risk that unauthorized changes may be made to production code. In most organizations, the change manager performs this function. The auditor should ensure that only authorized personnel can migrate code into the production environment by checking the security access profiles of users. While conducting this work, there also is some merit in checking the access profiles of developers to ensure that their access is restricted to development environments. Step 5: Emergency Changes At times, urgent emergency changes may be needed with no time to follow the standard process. To prepare for this scenario, the organization should develop an emergency change management process, preferably with authorization from a senior manager or a subgroup of the change management forum. Emergency access also should be authorized by the manager or subgroup. Once the change is implemented, the key participants in the change should conduct a post-implementation review (PIR) to ascertain the impact of the
Http://It-Toolkits.Org/ Phuong Thao Le 5 change to the process and system and report the findings to the forum. A PIR also may be conducted for key changes. From an internal aud it perspective, hastily implemented emergency changes pose a great risk to the organization because they do not apply the same level of rigor and due process established for the change management process. The auditor should ensure that temporary access provided to personnel is removed promptly. Step 6: Reporting and Tracking All change inquiries and requests should be reported to senior management on a regular basis. An automated change management system can track and report on each unique change request number at any point in time. The auditor should ensure that timely reports are produced and used by management. Furthermore, the auditor should ascertain that open changes are managed and closed out promptly. Managing the Risks of Change By following each of the steps in the change management process, organizations can manage the significant risk associated with introducing system changes. Auditors can assist their organization by ensuring that processes are in place to identify and manage these risks timely. (COLLECT)

Recommended

knowledge Byte -IT change management
knowledge Byte -IT change managementknowledge Byte -IT change management
knowledge Byte -IT change managementmohitnkm
 
ITIL Change Management - Plan and deploy changes with confidence
ITIL Change Management - Plan and deploy changes with confidence ITIL Change Management - Plan and deploy changes with confidence
ITIL Change Management - Plan and deploy changes with confidence Freshservice
 
P2 how to develop an it change management program
P2 how to develop an it change management programP2 how to develop an it change management program
P2 how to develop an it change management programIT-Toolkits.org
 
ChangeManagementTraining
ChangeManagementTrainingChangeManagementTraining
ChangeManagementTrainingMichael Perry
 
Numara change & approval mgmt
Numara change & approval mgmtNumara change & approval mgmt
Numara change & approval mgmtSan Francisco Bay Area
 
Adaptive Six Sigma Case Study - MACH Teledata - 01
Adaptive Six Sigma Case Study - MACH Teledata - 01Adaptive Six Sigma Case Study - MACH Teledata - 01
Adaptive Six Sigma Case Study - MACH Teledata - 01LN Mishra CBAP
 
Itil prc review
Itil prc reviewItil prc review
Itil prc reviewSteven Ragsdale
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsEd Tobias
 

Recommended

knowledge Byte -IT change management
knowledge Byte -IT change managementknowledge Byte -IT change management
knowledge Byte -IT change managementmohitnkm
 
ITIL Change Management - Plan and deploy changes with confidence
ITIL Change Management - Plan and deploy changes with confidence ITIL Change Management - Plan and deploy changes with confidence
ITIL Change Management - Plan and deploy changes with confidence Freshservice
 
P2 how to develop an it change management program
P2 how to develop an it change management programP2 how to develop an it change management program
P2 how to develop an it change management programIT-Toolkits.org
 
ChangeManagementTraining
ChangeManagementTrainingChangeManagementTraining
ChangeManagementTrainingMichael Perry
 
Numara change & approval mgmt
Numara change & approval mgmtNumara change & approval mgmt
Numara change & approval mgmtSan Francisco Bay Area
 
Adaptive Six Sigma Case Study - MACH Teledata - 01
Adaptive Six Sigma Case Study - MACH Teledata - 01Adaptive Six Sigma Case Study - MACH Teledata - 01
Adaptive Six Sigma Case Study - MACH Teledata - 01LN Mishra CBAP
 
Itil prc review
Itil prc reviewItil prc review
Itil prc reviewSteven Ragsdale
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsEd Tobias
 
Optimize your Change Management Process
Optimize your Change Management ProcessOptimize your Change Management Process
Optimize your Change Management ProcessJason Goncalves
 
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...NAFCU Services Corporation
 
TEST
TESTTEST
TESTreachtim
 
Ais Romney 2006 Slides 19 Ais Development Strategies
Ais Romney 2006 Slides 19 Ais Development StrategiesAis Romney 2006 Slides 19 Ais Development Strategies
Ais Romney 2006 Slides 19 Ais Development StrategiesSharing Slides Training
 
Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010Donald E. Hester
 
Dit yvol5iss35
Dit yvol5iss35Dit yvol5iss35
Dit yvol5iss35Rick Lemieux
 
RIMS: Remote Infrastructure Management Services
RIMS: Remote Infrastructure Management Services RIMS: Remote Infrastructure Management Services
RIMS: Remote Infrastructure Management Services Abhishek Agnihotry
 
Q3edge Case Study
Q3edge Case StudyQ3edge Case Study
Q3edge Case StudySushant Pande,PRINCE2
 
Managing a Major Incident
Managing a Major IncidentManaging a Major Incident
Managing a Major IncidentNUS-ISS
 
Internal Controls
Internal ControlsInternal Controls
Internal ControlsNational Pork Board
 
Electrical engineering control plans building on a valid control framework -...
Electrical engineering control plans building on a valid control framework -...Electrical engineering control plans building on a valid control framework -...
Electrical engineering control plans building on a valid control framework -...NSW Environment and Planning
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubKaushal Trivedi
 
Technology considerations
Technology considerationsTechnology considerations
Technology considerationsMusTufa Nullwala
 
Steps in it audit
Steps in it auditSteps in it audit
Steps in it auditkinjalmkothari92
 
Compliance
ComplianceCompliance
CompliancePriyank Hada
 
Functional safety-overview
Functional safety-overviewFunctional safety-overview
Functional safety-overviewUriah Edmunds
 
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...Information Systems Control and Audit - Chapter 4 - Systems Development Manag...
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...Sreekanth Narendran
 
Security Audit Best-Practices
Security Audit Best-PracticesSecurity Audit Best-Practices
Security Audit Best-PracticesMarco Raposo
 
008.itsecurity bcp v1
008.itsecurity bcp v1008.itsecurity bcp v1
008.itsecurity bcp v1Mohammad Ashfaqur Rahman
 
5 Things to Look for in Corrective Action Software Solutions
5 Things to Look for in Corrective Action Software Solutions5 Things to Look for in Corrective Action Software Solutions
5 Things to Look for in Corrective Action Software SolutionsEtQ, Inc.
 
Six time management tips for project managers it-toolkits
Six time management tips for project managers it-toolkitsSix time management tips for project managers it-toolkits
Six time management tips for project managers it-toolkitsIT-Toolkits.org
 
How to set realistic priorities for it budget planning it-toolkits
How to set realistic priorities for it budget planning it-toolkitsHow to set realistic priorities for it budget planning it-toolkits
How to set realistic priorities for it budget planning it-toolkitsIT-Toolkits.org
 

More Related Content

What's hot

Optimize your Change Management Process
Optimize your Change Management ProcessOptimize your Change Management Process
Optimize your Change Management ProcessJason Goncalves
 
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...NAFCU Services Corporation
 
Ais Romney 2006 Slides 19 Ais Development Strategies
Ais Romney 2006 Slides 19 Ais Development StrategiesAis Romney 2006 Slides 19 Ais Development Strategies
Ais Romney 2006 Slides 19 Ais Development StrategiesSharing Slides Training
 
Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010Donald E. Hester
 
RIMS: Remote Infrastructure Management Services
RIMS: Remote Infrastructure Management Services RIMS: Remote Infrastructure Management Services
RIMS: Remote Infrastructure Management Services Abhishek Agnihotry
 
Managing a Major Incident
Managing a Major IncidentManaging a Major Incident
Managing a Major IncidentNUS-ISS
 
Electrical engineering control plans building on a valid control framework -...
Electrical engineering control plans building on a valid control framework -...Electrical engineering control plans building on a valid control framework -...
Electrical engineering control plans building on a valid control framework -...NSW Environment and Planning
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubKaushal Trivedi
 
Functional safety-overview
Functional safety-overviewFunctional safety-overview
Functional safety-overviewUriah Edmunds
 
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...Information Systems Control and Audit - Chapter 4 - Systems Development Manag...
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...Sreekanth Narendran
 
Security Audit Best-Practices
Security Audit Best-PracticesSecurity Audit Best-Practices
Security Audit Best-PracticesMarco Raposo
 
5 Things to Look for in Corrective Action Software Solutions
5 Things to Look for in Corrective Action Software Solutions5 Things to Look for in Corrective Action Software Solutions
5 Things to Look for in Corrective Action Software SolutionsEtQ, Inc.
 

What's hot (20)

Optimize your Change Management Process
Optimize your Change Management ProcessOptimize your Change Management Process
Optimize your Change Management Process
 
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...
 
TEST
TESTTEST
TEST
 
Ais Romney 2006 Slides 19 Ais Development Strategies
Ais Romney 2006 Slides 19 Ais Development StrategiesAis Romney 2006 Slides 19 Ais Development Strategies
Ais Romney 2006 Slides 19 Ais Development Strategies
 
Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010
 
Dit yvol5iss35
Dit yvol5iss35Dit yvol5iss35
Dit yvol5iss35
 
RIMS: Remote Infrastructure Management Services
RIMS: Remote Infrastructure Management Services RIMS: Remote Infrastructure Management Services
RIMS: Remote Infrastructure Management Services
 
Q3edge Case Study
Q3edge Case StudyQ3edge Case Study
Q3edge Case Study
 
Managing a Major Incident
Managing a Major IncidentManaging a Major Incident
Managing a Major Incident
 
Internal Controls
Internal ControlsInternal Controls
Internal Controls
 
Electrical engineering control plans building on a valid control framework -...
Electrical engineering control plans building on a valid control framework -...Electrical engineering control plans building on a valid control framework -...
Electrical engineering control plans building on a valid control framework -...
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit Club
 
Technology considerations
Technology considerationsTechnology considerations
Technology considerations
 
Steps in it audit
Steps in it auditSteps in it audit
Steps in it audit
 
Compliance
ComplianceCompliance
Compliance
 
Functional safety-overview
Functional safety-overviewFunctional safety-overview
Functional safety-overview
 
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...Information Systems Control and Audit - Chapter 4 - Systems Development Manag...
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...
 
Security Audit Best-Practices
Security Audit Best-PracticesSecurity Audit Best-Practices
Security Audit Best-Practices
 
008.itsecurity bcp v1
008.itsecurity bcp v1008.itsecurity bcp v1
008.itsecurity bcp v1
 
5 Things to Look for in Corrective Action Software Solutions
5 Things to Look for in Corrective Action Software Solutions5 Things to Look for in Corrective Action Software Solutions
5 Things to Look for in Corrective Action Software Solutions
 

Viewers also liked

Six time management tips for project managers it-toolkits
Six time management tips for project managers it-toolkitsSix time management tips for project managers it-toolkits
Six time management tips for project managers it-toolkitsIT-Toolkits.org
 
How to set realistic priorities for it budget planning it-toolkits
How to set realistic priorities for it budget planning it-toolkitsHow to set realistic priorities for it budget planning it-toolkits
How to set realistic priorities for it budget planning it-toolkitsIT-Toolkits.org
 
A guide to creating a quality project schedule it-toolkits
A guide to creating a quality project schedule it-toolkitsA guide to creating a quality project schedule it-toolkits
A guide to creating a quality project schedule it-toolkitsIT-Toolkits.org
 
How to recruit an it project manager it-toolkits
How to recruit an it project manager it-toolkitsHow to recruit an it project manager it-toolkits
How to recruit an it project manager it-toolkitsIT-Toolkits.org
 
Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...IT-Toolkits.org
 
10 security problems unique to it
10 security problems unique to it10 security problems unique to it
10 security problems unique to itIT-Toolkits.org
 
It Organization Management : Revisiting Centralization
It Organization Management : Revisiting CentralizationIt Organization Management : Revisiting Centralization
It Organization Management : Revisiting CentralizationIT-Toolkits.org
 
Turn your customer's needs into successful it projects it-toolkits
Turn your customer's needs into successful it projects it-toolkitsTurn your customer's needs into successful it projects it-toolkits
Turn your customer's needs into successful it projects it-toolkitsIT-Toolkits.org
 
Planning more effective milestones in web design projects it-toolkits
Planning more effective milestones in web design projects it-toolkitsPlanning more effective milestones in web design projects it-toolkits
Planning more effective milestones in web design projects it-toolkitsIT-Toolkits.org
 
An it manager’s new best friend the company balance sheet it-toolkits
An it manager’s new best friend the company balance sheet it-toolkitsAn it manager’s new best friend the company balance sheet it-toolkits
An it manager’s new best friend the company balance sheet it-toolkitsIT-Toolkits.org
 

Viewers also liked (10)

Six time management tips for project managers it-toolkits
Six time management tips for project managers it-toolkitsSix time management tips for project managers it-toolkits
Six time management tips for project managers it-toolkits
 
How to set realistic priorities for it budget planning it-toolkits
How to set realistic priorities for it budget planning it-toolkitsHow to set realistic priorities for it budget planning it-toolkits
How to set realistic priorities for it budget planning it-toolkits
 
A guide to creating a quality project schedule it-toolkits
A guide to creating a quality project schedule it-toolkitsA guide to creating a quality project schedule it-toolkits
A guide to creating a quality project schedule it-toolkits
 
How to recruit an it project manager it-toolkits
How to recruit an it project manager it-toolkitsHow to recruit an it project manager it-toolkits
How to recruit an it project manager it-toolkits
 
Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...
 
10 security problems unique to it
10 security problems unique to it10 security problems unique to it
10 security problems unique to it
 
It Organization Management : Revisiting Centralization
It Organization Management : Revisiting CentralizationIt Organization Management : Revisiting Centralization
It Organization Management : Revisiting Centralization
 
Turn your customer's needs into successful it projects it-toolkits
Turn your customer's needs into successful it projects it-toolkitsTurn your customer's needs into successful it projects it-toolkits
Turn your customer's needs into successful it projects it-toolkits
 
Planning more effective milestones in web design projects it-toolkits
Planning more effective milestones in web design projects it-toolkitsPlanning more effective milestones in web design projects it-toolkits
Planning more effective milestones in web design projects it-toolkits
 
An it manager’s new best friend the company balance sheet it-toolkits
An it manager’s new best friend the company balance sheet it-toolkitsAn it manager’s new best friend the company balance sheet it-toolkits
An it manager’s new best friend the company balance sheet it-toolkits
 

Similar to It change management

293504541-ict-its4-03-0811-assist-with-policy-development-for-client-support-...
293504541-ict-its4-03-0811-assist-with-policy-development-for-client-support-...293504541-ict-its4-03-0811-assist-with-policy-development-for-client-support-...
293504541-ict-its4-03-0811-assist-with-policy-development-for-client-support-...kndnewguade
 
Assisit with devlopment.pptx
Assisit with devlopment.pptxAssisit with devlopment.pptx
Assisit with devlopment.pptxTadeseBeyene
 
Change_Management (1).ppt
Change_Management (1).pptChange_Management (1).ppt
Change_Management (1).pptrajuhaveri1
 
Change_Management.ppt
Change_Management.pptChange_Management.ppt
Change_Management.pptrajuhaveri1
 
Change_Management.ppt
Change_Management.pptChange_Management.ppt
Change_Management.pptrajuhaveri1
 
5 steps project change control process
5 steps project change control process5 steps project change control process
5 steps project change control processPM Majik
 
Change management system
Change management systemChange management system
Change management systemmanusb07
 
Change Management - ITIL
Change Management - ITILChange Management - ITIL
Change Management - ITILconnorsmaureen
 
FixNix 17 products1.0
FixNix 17 products1.0FixNix 17 products1.0
FixNix 17 products1.0FixNix Inc.,
 
9 Trng6_Change_Management_CIT.pdf
9 Trng6_Change_Management_CIT.pdf9 Trng6_Change_Management_CIT.pdf
9 Trng6_Change_Management_CIT.pdfRatheshPriyanK1
 
Presentation on-change-control
Presentation on-change-controlPresentation on-change-control
Presentation on-change-controlsachin kumar
 

Similar to It change management (20)

293504541-ict-its4-03-0811-assist-with-policy-development-for-client-support-...
293504541-ict-its4-03-0811-assist-with-policy-development-for-client-support-...293504541-ict-its4-03-0811-assist-with-policy-development-for-client-support-...
293504541-ict-its4-03-0811-assist-with-policy-development-for-client-support-...
 
Assisit with devlopment.pptx
Assisit with devlopment.pptxAssisit with devlopment.pptx
Assisit with devlopment.pptx
 
PACE-IT: Basics of Change Management
PACE-IT: Basics of Change ManagementPACE-IT: Basics of Change Management
PACE-IT: Basics of Change Management
 
Change_Management (1).ppt
Change_Management (1).pptChange_Management (1).ppt
Change_Management (1).ppt
 
Change_Management.ppt
Change_Management.pptChange_Management.ppt
Change_Management.ppt
 
Change_Management.ppt
Change_Management.pptChange_Management.ppt
Change_Management.ppt
 
Dit yvol4iss08
Dit yvol4iss08Dit yvol4iss08
Dit yvol4iss08
 
5 steps project change control process
5 steps project change control process5 steps project change control process
5 steps project change control process
 
Dit yvol4iss27
Dit yvol4iss27Dit yvol4iss27
Dit yvol4iss27
 
Change management system
Change management systemChange management system
Change management system
 
MOC2016_v2
MOC2016_v2MOC2016_v2
MOC2016_v2
 
Change Management - ITIL
Change Management - ITILChange Management - ITIL
Change Management - ITIL
 
Information System (IS) life cycle.pptx
Information System (IS) life cycle.pptxInformation System (IS) life cycle.pptx
Information System (IS) life cycle.pptx
 
Systems request
Systems requestSystems request
Systems request
 
FixNix 17 products1.0
FixNix 17 products1.0FixNix 17 products1.0
FixNix 17 products1.0
 
9 Trng6_Change_Management_CIT.pdf
9 Trng6_Change_Management_CIT.pdf9 Trng6_Change_Management_CIT.pdf
9 Trng6_Change_Management_CIT.pdf
 
Change control
Change controlChange control
Change control
 
Effective Change Management
Effective Change ManagementEffective Change Management
Effective Change Management
 
Optimize Change Management
Optimize Change ManagementOptimize Change Management
Optimize Change Management
 
Presentation on-change-control
Presentation on-change-controlPresentation on-change-control
Presentation on-change-control
 

More from IT-Toolkits.org

Risk Management & Information Security Management Systems
Risk Management & Information Security Management SystemsRisk Management & Information Security Management Systems
Risk Management & Information Security Management SystemsIT-Toolkits.org
 
Information Technology & Its Role in the Modern Organization
Information Technology & Its Role in the Modern OrganizationInformation Technology & Its Role in the Modern Organization
Information Technology & Its Role in the Modern OrganizationIT-Toolkits.org
 
25 important considerations for selecting new customer support tools
25 important considerations for selecting new customer support tools25 important considerations for selecting new customer support tools
25 important considerations for selecting new customer support toolsIT-Toolkits.org
 
10 security problems unique to it
10 security problems unique to it10 security problems unique to it
10 security problems unique to itIT-Toolkits.org
 
The basics of managing i.t
The basics of managing i.tThe basics of managing i.t
The basics of managing i.tIT-Toolkits.org
 
It management audits it management templates
It management audits it management templatesIt management audits it management templates
It management audits it management templatesIT-Toolkits.org
 
What is value added- it management_ - it management templates
What is value added- it management_ - it management templatesWhat is value added- it management_ - it management templates
What is value added- it management_ - it management templatesIT-Toolkits.org
 
7 steps to business and it alignment it management templates
7 steps to business and it alignment it management templates7 steps to business and it alignment it management templates
7 steps to business and it alignment it management templatesIT-Toolkits.org
 
Relevant it – it solutions to bridge the gap between business and it it man...
Relevant it – it solutions to bridge the gap between business and it it man...Relevant it – it solutions to bridge the gap between business and it it man...
Relevant it – it solutions to bridge the gap between business and it it man...IT-Toolkits.org
 
Finding a common ground between finance and it it management templates
Finding a common ground between finance and it it management templatesFinding a common ground between finance and it it management templates
Finding a common ground between finance and it it management templatesIT-Toolkits.org
 
How to write your company's it security policy it-toolkits
How to write your company's it security policy it-toolkitsHow to write your company's it security policy it-toolkits
How to write your company's it security policy it-toolkitsIT-Toolkits.org
 
The benefits of technology standards it-toolkits
The benefits of technology standards it-toolkitsThe benefits of technology standards it-toolkits
The benefits of technology standards it-toolkitsIT-Toolkits.org
 
Email policies tools to govern usage, access and etiquette it-toolkits
Email policies tools to govern usage, access and etiquette it-toolkitsEmail policies tools to govern usage, access and etiquette it-toolkits
Email policies tools to govern usage, access and etiquette it-toolkitsIT-Toolkits.org
 
Fundamentals of data security policy in i.t. management it-toolkits
Fundamentals of data security policy in i.t. management it-toolkitsFundamentals of data security policy in i.t. management it-toolkits
Fundamentals of data security policy in i.t. management it-toolkitsIT-Toolkits.org
 
Why do you need an it policy it-toolkits
Why do you need an it policy it-toolkitsWhy do you need an it policy it-toolkits
Why do you need an it policy it-toolkitsIT-Toolkits.org
 
Help desk ticket categories create help desk ticket classification it-tool...
Help desk ticket categories create help desk ticket classification it-tool...Help desk ticket categories create help desk ticket classification it-tool...
Help desk ticket categories create help desk ticket classification it-tool...IT-Toolkits.org
 
Help desk mission and vision statements. it-toolkits
Help desk mission and vision statements. it-toolkitsHelp desk mission and vision statements. it-toolkits
Help desk mission and vision statements. it-toolkitsIT-Toolkits.org
 
Help desk problem management it-toolkits
Help desk problem management it-toolkitsHelp desk problem management it-toolkits
Help desk problem management it-toolkitsIT-Toolkits.org
 
Help desk kpi it-toolkits
Help desk kpi it-toolkitsHelp desk kpi it-toolkits
Help desk kpi it-toolkitsIT-Toolkits.org
 
It help desk what is a help desk - it-toolkits
It help desk what is a help desk - it-toolkitsIt help desk what is a help desk - it-toolkits
It help desk what is a help desk - it-toolkitsIT-Toolkits.org
 

More from IT-Toolkits.org (20)

Risk Management & Information Security Management Systems
Risk Management & Information Security Management SystemsRisk Management & Information Security Management Systems
Risk Management & Information Security Management Systems
 
Information Technology & Its Role in the Modern Organization
Information Technology & Its Role in the Modern OrganizationInformation Technology & Its Role in the Modern Organization
Information Technology & Its Role in the Modern Organization
 
25 important considerations for selecting new customer support tools
25 important considerations for selecting new customer support tools25 important considerations for selecting new customer support tools
25 important considerations for selecting new customer support tools
 
10 security problems unique to it
10 security problems unique to it10 security problems unique to it
10 security problems unique to it
 
The basics of managing i.t
The basics of managing i.tThe basics of managing i.t
The basics of managing i.t
 
It management audits it management templates
It management audits it management templatesIt management audits it management templates
It management audits it management templates
 
What is value added- it management_ - it management templates
What is value added- it management_ - it management templatesWhat is value added- it management_ - it management templates
What is value added- it management_ - it management templates
 
7 steps to business and it alignment it management templates
7 steps to business and it alignment it management templates7 steps to business and it alignment it management templates
7 steps to business and it alignment it management templates
 
Relevant it – it solutions to bridge the gap between business and it it man...
Relevant it – it solutions to bridge the gap between business and it it man...Relevant it – it solutions to bridge the gap between business and it it man...
Relevant it – it solutions to bridge the gap between business and it it man...
 
Finding a common ground between finance and it it management templates
Finding a common ground between finance and it it management templatesFinding a common ground between finance and it it management templates
Finding a common ground between finance and it it management templates
 
How to write your company's it security policy it-toolkits
How to write your company's it security policy it-toolkitsHow to write your company's it security policy it-toolkits
How to write your company's it security policy it-toolkits
 
The benefits of technology standards it-toolkits
The benefits of technology standards it-toolkitsThe benefits of technology standards it-toolkits
The benefits of technology standards it-toolkits
 
Email policies tools to govern usage, access and etiquette it-toolkits
Email policies tools to govern usage, access and etiquette it-toolkitsEmail policies tools to govern usage, access and etiquette it-toolkits
Email policies tools to govern usage, access and etiquette it-toolkits
 
Fundamentals of data security policy in i.t. management it-toolkits
Fundamentals of data security policy in i.t. management it-toolkitsFundamentals of data security policy in i.t. management it-toolkits
Fundamentals of data security policy in i.t. management it-toolkits
 
Why do you need an it policy it-toolkits
Why do you need an it policy it-toolkitsWhy do you need an it policy it-toolkits
Why do you need an it policy it-toolkits
 
Help desk ticket categories create help desk ticket classification it-tool...
Help desk ticket categories create help desk ticket classification it-tool...Help desk ticket categories create help desk ticket classification it-tool...
Help desk ticket categories create help desk ticket classification it-tool...
 
Help desk mission and vision statements. it-toolkits
Help desk mission and vision statements. it-toolkitsHelp desk mission and vision statements. it-toolkits
Help desk mission and vision statements. it-toolkits
 
Help desk problem management it-toolkits
Help desk problem management it-toolkitsHelp desk problem management it-toolkits
Help desk problem management it-toolkits
 
Help desk kpi it-toolkits
Help desk kpi it-toolkitsHelp desk kpi it-toolkits
Help desk kpi it-toolkits
 
It help desk what is a help desk - it-toolkits
It help desk what is a help desk - it-toolkitsIt help desk what is a help desk - it-toolkits
It help desk what is a help desk - it-toolkits
 

Recently uploaded

CELL CYCLE Division Science 8 quarter IV.pptx
CELL CYCLE Division Science 8 quarter IV.pptxCELL CYCLE Division Science 8 quarter IV.pptx
CELL CYCLE Division Science 8 quarter IV.pptxJiesonDelaCerna
 
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTiammrhaywood
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon AUnboundStockton
 
Historical philosophical, theoretical, and legal foundations of special and i...
Historical philosophical, theoretical, and legal foundations of special and i...Historical philosophical, theoretical, and legal foundations of special and i...
Historical philosophical, theoretical, and legal foundations of special and i...jaredbarbolino94
 
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxEPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxRaymartEstabillo3
 
Meghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media ComponentMeghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media ComponentInMediaRes1
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationnomboosow
 
History Class XII Ch. 3 Kinship, Caste and Class (1).pptx
History Class XII Ch. 3 Kinship, Caste and Class (1).pptxHistory Class XII Ch. 3 Kinship, Caste and Class (1).pptx
History Class XII Ch. 3 Kinship, Caste and Class (1).pptxsocialsciencegdgrohi
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentInMediaRes1
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxmanuelaromero2013
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsanshu789521
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
Final demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxFinal demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxAvyJaneVismanos
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxiammrhaywood
 
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Celine George
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...Marc Dusseiller Dusjagr
 
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfEnzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfSumit Tiwari
 
Hierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementHierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementmkooblal
 
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...M56BOOKSTORE PRODUCT/SERVICE
 

Recently uploaded (20)

CELL CYCLE Division Science 8 quarter IV.pptx
CELL CYCLE Division Science 8 quarter IV.pptxCELL CYCLE Division Science 8 quarter IV.pptx
CELL CYCLE Division Science 8 quarter IV.pptx
 
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon A
 
Historical philosophical, theoretical, and legal foundations of special and i...
Historical philosophical, theoretical, and legal foundations of special and i...Historical philosophical, theoretical, and legal foundations of special and i...
Historical philosophical, theoretical, and legal foundations of special and i...
 
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxEPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
 
Meghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media ComponentMeghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media Component
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 
History Class XII Ch. 3 Kinship, Caste and Class (1).pptx
History Class XII Ch. 3 Kinship, Caste and Class (1).pptxHistory Class XII Ch. 3 Kinship, Caste and Class (1).pptx
History Class XII Ch. 3 Kinship, Caste and Class (1).pptx
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media Component
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptx
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha elections
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
Final demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxFinal demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptx
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
 
9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR
 
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
 
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfEnzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
 
Hierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementHierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of management
 
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
 

It change management

  • 1. Http://It-Toolkits.Org/ Phuong Thao Le 1 IT Change Management Auditors should provide assurance that the organization has a process in place to ensure that changes to the IT production environment don't disrupt business or cause security breaches. Comedian Billy Crystal once said, "Change is such hard work." In an IT environment change is particularly tricky. The implications of incorrectly implementing a change into an organization's production system environment can lead to potential security breaches and result in negative publicity or regulatory sanctions if breaches occur. Moreover, organizations that lack a change management process run a significant risk that unauthorized changes may be introduced into the production environment. A change management process is a formal set of procedures and steps that are set in place to manage all changes, updates, or modifications to hardware and software (systems) across an organization. Typically, the change management process should be formalized through a management-approved policy. From an internal aud it perspective the policy should cover:
  • 2. Http://It-Toolkits.Org/ Phuong Thao Le 2 Scope of policy. The scope should detail the types of change and systems for which the policy is applicable. Authorization and approval. All major changes should be authorized by the system owner before its implementation in a live environment. The policy should identify which changes are exempt from the change management process, but the exemption should be documented and approved. Testing requirements. All changes must be tested and approved by the users/system owner before migration into the production environment. Segregation of duties. The physical act of migrating the change should be performed by an independent person. Typically, this is completed by the change and release manager. The auditor should provide assurance that a change management policy and framework are in place to ensure that all changes to production systems are managed consistently and formally. Moreover, they should ascertain whether the organization educates users of the process on the various steps. Change Management Process The purpose of the change management process is to manage the scheduling of changes with minimum disruption to IT services. The goal of the process is to implement fault-free changes with minimal business impact. A definition of a change should be specified in the process. Typically, a change is any task or action that can alter the organization's IT production environment. Step 1: Initiation A change inquiry may be initiated by a user or a nominated business representative, who usually completes a form specifying the type of change, its potential impact, and proposed date of implementation. Usually, this form is electronic and is available on an organization's intranet. The user should provide as much detail as possible to the reviewer of the change inquiry to ensure an appropriate action can be taken. During this stage of the process, the auditor should ensure that there is sufficient detail in the inquiry form to make a decision. Also, the auditor should check whether the business manager or someone in authority has supported the change inquiry.
  • 3. Http://It-Toolkits.Org/ Phuong Thao Le 3 Step 2: Categorization An authorized person, usually a change manager, reviews the change inquiry and allocates a unique number that designates it as a change request. This change request number enables tracking of a specific request at any time and at any stage of the process. In many organizations a forum of senior business users meets regularly to review submitted change requests. A change management forum's decision about a change request may fall into one of three categories: Accepted. The change request has some business benefit, and it is worthwhile for further investigation or work to be undertaken. Rejected. There is no business benefit and the change request is declined. On hold/further work is needed. The forum requires further information to make a decision. Based on the change requests that have been accepted, a further categorization based on a risk assessment needs to be undertaken by the change manager and endorsed by the forum: Type A. Change impacts multiple systems and has a customer impact. There is high technical complexity. Type B. Change impacts one system and has a customer/business impact. There is a medium level of complexity. Type C. Change impacts one system and there is a low level of complexity. The auditor should ensure that all change inquiries have been assigned a unique number. Further, auditors should ascertain whether all change requests have been considered by the change management forum and whether the change manager has conducted a risk assessment. The auditor also should assess whether the forum's membership is appropriate and its roles and responsibilities are documented in a charter. Step 3: Release Decision Once a change request has been worked on and tested, it must be presented to the change management forum to ascertain whether the change can be released into the production environment. This release decision should be based on the risk assessment decision made in step 2. Before approving the release of a change, the change management forum should consider whether:
  • 4. Http://It-Toolkits.Org/ Phuong Thao Le 4 All testing is complete and authorized by the appropriate parties. This should include user acceptance testing at a minimum, as well as stress and volume, regression, performance, and security vulnerability testing, if applicable. A run sheet containing roll-back and back-out procedures has been documented. All quality measures have been met. This is usually defined as part of the system development life cycle and is out of scope for the change management process. Outage impacts have been determined. This is the amount of time a system will not be available while the change is being implemented. Impacted business units/stakeholders have been informed that the system may not be available for a specified time period. Communication to users is only needed when there is a direct impact to them. System documentation has been updated. Operational teams are ready to support the change. The auditor should ensure that all change requests are approved by the forum and all documentation is in place to support the decision. Step 4: Migration It is important that the actual migration of the change is completed by a person who is independent from the development team because there is a risk that unauthorized changes may be made to production code. In most organizations, the change manager performs this function. The auditor should ensure that only authorized personnel can migrate code into the production environment by checking the security access profiles of users. While conducting this work, there also is some merit in checking the access profiles of developers to ensure that their access is restricted to development environments. Step 5: Emergency Changes At times, urgent emergency changes may be needed with no time to follow the standard process. To prepare for this scenario, the organization should develop an emergency change management process, preferably with authorization from a senior manager or a subgroup of the change management forum. Emergency access also should be authorized by the manager or subgroup. Once the change is implemented, the key participants in the change should conduct a post-implementation review (PIR) to ascertain the impact of the
  • 5. Http://It-Toolkits.Org/ Phuong Thao Le 5 change to the process and system and report the findings to the forum. A PIR also may be conducted for key changes. From an internal aud it perspective, hastily implemented emergency changes pose a great risk to the organization because they do not apply the same level of rigor and due process established for the change management process. The auditor should ensure that temporary access provided to personnel is removed promptly. Step 6: Reporting and Tracking All change inquiries and requests should be reported to senior management on a regular basis. An automated change management system can track and report on each unique change request number at any point in time. The auditor should ensure that timely reports are produced and used by management. Furthermore, the auditor should ascertain that open changes are managed and closed out promptly. Managing the Risks of Change By following each of the steps in the change management process, organizations can manage the significant risk associated with introducing system changes. Auditors can assist their organization by ensuring that processes are in place to identify and manage these risks timely. (COLLECT)