Change and Patch Management Controls

Stephanie Tarr

Change and patch management

Defined as set of processes executed within the organization’s IT department designed to manage the enhancements, updates, incremental fixes and patches to production systems which include such as application code revisions, system upgrades, infrastructure changes

Top 5 Risks Indicators of Poor Change Management Unauthorized changes Unplanned outages Low change success rate High number of emergency changes Delayed project implementations

Why is IT Change important?

Spend less money and IT energy on unplanned work

Spend more money on achieving business goals

Experience less downtown Install patches with minimum disruption Focus on improvements and less on

“putting out fires”

Change Management Process

Most organizations have a process but the question is whether it is as effective and efficient as possible as well as is it used for all IT changes.

It is the one of the most difficult disciplines to implement due to the cross-functional team applications, developers, IT operations staff, auditors, and business people

To ease the process each of the participants roles should be defined in the change management procedures

Main goals of better managing an organizations IT changes are to reduce risk, reduce unplanned work, eliminate unintended results, and improve the quality of services for internal and external customers

Sarbanes-Oxley Compliance

Uncontrolled changes in the production environment can lead to errors, that if pervasive or critical, might be considered significant deficiencies that must be reported to the organizations audit committee

Serious deficiencies also called “material weaknesses” for public companies are required to be disclosed publicly by companies in their filings

IT general control (ITGC) weakness is classified as “material weakness” if one or more of the following exists: 1. an application control weakness is caused by or related to, an ITGC weakness is rated as a material weakness 2. ITGC weakness leads to the conclusion that there is a material weakness in the organizations control environment 3. ITGC weakness classified as a significant deficiency remains uncorrected after some reasonable period of time

COSO ERM Model for Change Management

Monitoring Information and Communication Control Activities Risk Response Risk Assessment Event Identification Objective Setting Internal Environment

Assets subject to Change Management

Hardware's: mainframes, servers, workstations, routers, switches, and mobile devices

Software: operating systems and application Information, data, and data structures: files and databases Security controls such as anti-virus software, firewalls, and

intrusion protection systems Processes, policies, and procedures Roles/responsibilities such as authorization, authority to act, and

access controls

Change Management Metrics Metrics and Indicators Guidelines

Number of changes authorized per week, as measured by the change management log of authorized changes

Number of actual changes made per week, as measured by detective controls such as monitoring software

Change success rate

% of time spent on unplanned work

High-performing organizations can sustain over 1,000 successful changes per week

The number of changes actually implemented for the week should not exceed the number of authorized changes

High performing organizations regularly achieve change success rates of 99%

Low is better

Unplanned work as Indicator of Effective Change Management Process

# of Production X Failed Change % or X Mean Time to Repair = % of Time Spent on

Changes Unauthorized changes Unplanned work

Failed Change % or Unauthorized Changes:

Increase – effective change testing and change scheduling

Decrease – management ownership of change process and effective separation

of duties

Mean Time to Repair:

Decrease – Effective communications and monitoring of production changes

Common questions by auditors ?

Describe what controls you need in your change management process?

What is your acceptable # of unauthorized changes? How disruptive is your patching process? How do you keep overall watch on the health of the

process? What is the goal of your process?

Change Management Capability Levels

Changes Control the Organization

Organization Controls the Changes

Reactive

Using the Honor System

Closed Loop Process

Continuously Improving

IT Management Necessary Controls

Preventative controls– Change authorization (ex. documentation showing the CM process and authorization

levels)

– Separation of duties Detective controls

– Supervision and monitoring (ex. Changes to production equipment tracked in work logs and change orders)

– Substantive sampling to audit the accuracy of the reconciliation between production changes and authorized changes

Corrective/Recovery Controls– Any change outside of the CM process is documented

– Post-implementation reviews performed

Internal Auditor’s Role

1. Understand the basic components of change management and ask questions

2. Assess effectiveness of change management process (perform a walk-through)

3. Obtain IT management scorecard for measuring process effectiveness

4. Determine if IT management has assigned responsibility to someone other than a software developer

5. Determine if audit trails can be manipulated or destroyed

6. Look for the indicators of effective control management with an emphasis on business risks

7. Aid management in improving their approach to change management

8. If outsourcing IT functions determine if the Company’s expectations are identified clearly in the service level agreements and contracts (ex. Who is responsible for day to day requests? Who monitors compliance with the SLAs)

9. Support findings with the business value of effective change management as well as the risks

Visible Ops Handbook: Starting ITIL in Four Practical Steps

Stabilize the Patient Find Fragile Artifacts Create a repeatable build library Continual improvements