Why it‘s important to your businessCHANGE MANAGEMENT
PCI Requirement on                  Change Management1.1.1 A formal process for approving and testing allnetwork connectio...
What is Change Management?ITIL Definitions:   Change Management –   The process responsible for controlling the lifecycle ...
What is Change Management?ITIL Definitions:   A Change –  The addition, modification or removal of anything that could  ha...
What is included/ in scope?Anything that is considered to be part of the productionenvironment and within PCI scope  Chang...
Change Advisory Board (CAB)The Change Advisory Board (CAB) is a body that existsto support the authorization of changes an...
CAB AgendaThe Change Management process, including any amendments made to itduring the period under discussion, as well as...
Emergency ChangeIn an emergency situation it may not be possible to convene afull CAB meeting. Where CAB approval is requi...
Initiate   Change            Detailed Change Process                             Change Builder                           ...
PCI Compliance ChallengesVerify that the correct access rights have been given tothe various rolesEnsure that every week h...
Implementation ChallengesEverything takes longer, especially in the beginningNo more shortcuts by sales and managementIt t...
Change CategorizationMinor impact and few resources needed    Change Manager evaluates and can approve autonomouslySignifi...
Upcoming SlideShare
Loading in …5
×

Change Management Overview

728 views

Published on

A high level overview of what Change Management is about from a PCI perspective

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
728
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
21
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Change Management Overview

  1. 1. Why it‘s important to your businessCHANGE MANAGEMENT
  2. 2. PCI Requirement on Change Management1.1.1 A formal process for approving and testing allnetwork connections and changes to the firewall androuter configurations6.4.5 - Change control procedures for theimplementation of security patches and softwaremodifications. Procedures must include the following: Documentation of impact Documented change approval by authorized parties Functionality testing to verify that the change does not adversely impact the security of the system Back-out proceduresIT Compliance Consulting 2
  3. 3. What is Change Management?ITIL Definitions: Change Management – The process responsible for controlling the lifecycle of all changes. The primary objective of Change Management is to enable beneficial changes to be made, with minimum disruption to IT services, security standards and updating the existing ones Request For Change (RFC) – A formal proposal for a change to be made. An RFC includes details of the proposed change, and may be recorded on paper or electronically. The term RFC is often misused to mean a change record or the change itself IT Compliance Consulting 3
  4. 4. What is Change Management?ITIL Definitions: A Change – The addition, modification or removal of anything that could have an effect on IT services. The scope should include all IT services, configuration items, processes, documentation, etc. Change Advisory Board (CAB) – A group of people that advises the Change Manager in the assessment, prioritization and scheduling of changes. This board is usually made up of representatives from all areas within the IT service provider, representatives from the business and third parties such as suppliers IT Compliance Consulting 4
  5. 5. What is included/ in scope?Anything that is considered to be part of the productionenvironment and within PCI scope Changes to the IT infrastructure (HW) or operating system (patches) Any software changes, be it application (bespoke/ standard) or database, new installations or upgrades Changes to LAN and WAN, data lines, configuration changes, firmware upgrades, etc. External systems such as mail servers, PBX for call centre, voice recording systems etc. Data center supporting equipment like UPS, generators, cooling units, fire suppression, etc. IT Compliance Consulting 5
  6. 6. Change Advisory Board (CAB)The Change Advisory Board (CAB) is a body that existsto support the authorization of changes and to assistChange Management (assessment and prioritization)with changes to LAN and WAN, data lines, configurationchanges, firmware upgrades, etc.The Change Manager normally chairs the CAB, andpotential member include Customer(s) Facilities/office services staff Services and operations staff User manager(s), user group representative(s) Contractor’s or third parties’ representativesOther parties Applications developers/maintainers, specialists/technical consultantsIT Compliance Consulting 6
  7. 7. CAB AgendaThe Change Management process, including any amendments made to itduring the period under discussion, as well as proposed changesRFCs that have already been assessed by CAB members and were put onhold, pending additional information or testingFailed changes, unauthorized, backed-out changes, or changes appliedwithout reference to the CAB by incident management, problemmanagement or Change ManagementOutstanding changes and changes in progressRFCs to be assessed by CAB members – in structured and priority orderAdvance notice of RFCs expected for review at next CABReview of unauthorized changes detected through ConfigurationManagementIT Compliance Consulting 7
  8. 8. Emergency ChangeIn an emergency situation it may not be possible to convene afull CAB meeting. Where CAB approval is required, this will beprovided by the Emergency CAB (ECAB)Not all emergency changes will require the ECAB involvementAn emergency change procedure will follow the normal changeprocedure except that approval will be given by the ECABrather than waiting for the full CAB meetingThe CAB should be informed of any emergency changes and/or changes that have been implemented as a workaroundAll emergency changes are documented and signed off bythree CAB membersIT Compliance Consulting 8
  9. 9. Initiate Change Detailed Change Process Change Builder Change, Rollback, Change Mgr. Testing, Implem. reviews RFC Yes No Close Urgent? Accept? Change No Yes Change Mgr. Independent Prioritizes Testing Yes ECAB Evaluation & Yes No Urgent? Meeting Review Urgent? Positive? No Yes No Change Mgr. Change Manager Categorizes Release Change & Implement Minor Significant Major Standard Change Mgr. CAB CAB/ Mgmt. Change Mgr. Authorizes & Authorizes & Authorizes & Monitors No Monitors Monitors Monitors Process Positive? Implement Rollback Implement Yes per process YesAuthorized? Change Mgr. No ReviewSubmit more Yes No CloseInformation Need Info? Change IT Compliance Consulting 9
  10. 10. PCI Compliance ChallengesVerify that the correct access rights have been given tothe various rolesEnsure that every week has two records of the changelog – before and after the CABConsistency of the data in the log e.g. approval datecannot be after the installation date, a status cannot beskippedAll CAB members need to sign off on the change log asa collective endorsement of everything agreed uponduring the meetingIT Compliance Consulting 10
  11. 11. Implementation ChallengesEverything takes longer, especially in the beginningNo more shortcuts by sales and managementIt takes time for IT staff and developers to understandwhat complete information on a change request meansStarting with more than less, is the way to go. Whenpeople make assumptions, they are generally wrongTesting of the change AND the roll back scenario is notonly required, but must be documentedHR policies need to be upgraded to allow consequenceswhen the process is not adhered toIT Compliance Consulting 11
  12. 12. Change CategorizationMinor impact and few resources needed Change Manager evaluates and can approve autonomouslySignificant impact and significant resources needed CAB meeting to evaluate and approve or rejectMajor impact and a high level of resources needed After CAB approval, may additionally seek management approvalStandard – pre-approved changes Change manager checks that the correct procedures are followedIT Compliance Consulting 12

×