Change management auditing
Encyclopedia
Change management
is an auditing procedure for mitigating risks associated with the changes made to an IT system. Limiting unauthorized changes and having proper segregation of duties controls in place is essential to reduce the risk of implementing IT changes into production environments which could contain untested errors, malicious code, segregation of duties violations, any of which could ultimately result in negatively impacting critical IT systems for a company. Change management is an essential component to a company's IT security.
Change management
procedures are formally documented and controlled.
Changes are requested in a formal process.
The effect of the requested change is assessed.:Each change is assessed based on its projected effect to the computer system and business operations. The assessment is documented with the request.
Controls are imposed on changes.:Changes are limited by automated or manual controls. In particular, unauthorized changes are periodically searched for.
An emergency change process is in place.:Policies clearly define emergency changes. Generally, these are errors that significantly impair system function and business operations, increase the system's vulnerability, or both. Emergency changes override some, but not all, controls. For instance, a proposed change might be documented, but not permitted without authorization.
Change documentation is periodically updated.
Maintenance tasks and changes are recorded.
Controls are applied to new software releases.:For security, new software releases often require controls such as back ups, version control, and a secure implementation.
Software distribution is assessed for compliance.:Software distribution is assessed for compliance with licence agreements. Noncompliance can have disastrous financial
and legal results.
Changes are submitted for approval.:Proposed changes are submitted for approval after auditors have reviewed the required resources, other changes, the effect, urgency, and the system's stability.
Duties are separated
:Responsibility for creation, approval, and application are assigned to different personnel to avoid undesired changes.
Changes are reviewed.:Changes are monitored to assess the efficacy of change management
policies.
Change management
Change management is a structured approach to shifting/transitioning individuals, teams, and organizations from a current state to a desired future state. It is an organizational process aimed at helping employees to accept and embrace changes in their current business environment....
is an auditing procedure for mitigating risks associated with the changes made to an IT system. Limiting unauthorized changes and having proper segregation of duties controls in place is essential to reduce the risk of implementing IT changes into production environments which could contain untested errors, malicious code, segregation of duties violations, any of which could ultimately result in negatively impacting critical IT systems for a company. Change management is an essential component to a company's IT security.
Change risks
Proper change control auditing can mitigate the following risks:- SecuritySecuritySecurity is the degree of protection against danger, damage, loss, and crime. Security as a form of protection are structures and processes that provide or improve security as a condition. The Institute for Security and Open Methodologies in the OSSTMM 3 defines security as "a form of protection...
features of the network turn off. - Harmful code is distributed to users.
- Sensitive dataDataThe term data refers to qualitative or quantitative attributes of a variable or set of variables. Data are typically the results of measurements and can be the basis of graphs, images, or observations of a set of variables. Data are often viewed as the lowest level of abstraction from which...
is lost or becomes insecure. - Financial report errors occur.
Control procedure
The following features are commonly part of a change management auditing procedure:Change management
Change management
Change management is a structured approach to shifting/transitioning individuals, teams, and organizations from a current state to a desired future state. It is an organizational process aimed at helping employees to accept and embrace changes in their current business environment....
procedures are formally documented and controlled.
Changes are requested in a formal process.
- Requests are recorded and stored for reference.
The effect of the requested change is assessed.:Each change is assessed based on its projected effect to the computer system and business operations. The assessment is documented with the request.
- Priority is based on urgency, potential benefits, and the ease with which changes can be corrected.
Controls are imposed on changes.:Changes are limited by automated or manual controls. In particular, unauthorized changes are periodically searched for.
An emergency change process is in place.:Policies clearly define emergency changes. Generally, these are errors that significantly impair system function and business operations, increase the system's vulnerability, or both. Emergency changes override some, but not all, controls. For instance, a proposed change might be documented, but not permitted without authorization.
Change documentation is periodically updated.
Maintenance tasks and changes are recorded.
Controls are applied to new software releases.:For security, new software releases often require controls such as back ups, version control, and a secure implementation.
Software distribution is assessed for compliance.:Software distribution is assessed for compliance with licence agreements. Noncompliance can have disastrous financial
FINANCIAL
FINANCIAL is the weekly English-language newspaper with offices in Tbilisi, Georgia and Kiev, Ukraine. Published by Intelligence Group LLC, FINANCIAL is focused on opinion leaders and top business decision-makers; It's about world’s largest companies, investing, careers, and small business. It is...
and legal results.
Changes are submitted for approval.:Proposed changes are submitted for approval after auditors have reviewed the required resources, other changes, the effect, urgency, and the system's stability.
Duties are separated
Separation of duties
Separation of duties is the concept of having more than one person required to complete a task. In business the separation by sharing of more than one individual in one single task shall prevent from fraud and error. The concept is alternatively called segregation of duties or, in the political...
:Responsibility for creation, approval, and application are assigned to different personnel to avoid undesired changes.
Changes are reviewed.:Changes are monitored to assess the efficacy of change management
Change management
Change management is a structured approach to shifting/transitioning individuals, teams, and organizations from a current state to a desired future state. It is an organizational process aimed at helping employees to accept and embrace changes in their current business environment....
policies.
See also
- Change managementChange managementChange management is a structured approach to shifting/transitioning individuals, teams, and organizations from a current state to a desired future state. It is an organizational process aimed at helping employees to accept and embrace changes in their current business environment....
- Information technology auditInformation technology auditAn information technology audit, or information systems audit, is an examination of the management controls within an Information technology infrastructure. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating...
- Information technology audit - operations