Risks - Change & Configuration Management
-
Upload
sadhanandavel-ramdoss -
Category
Documents
-
view
217 -
download
0
Transcript of Risks - Change & Configuration Management
8/8/2019 Risks - Change & Configuration Management
http://slidepdf.com/reader/full/risks-change-configuration-management 1/4
Part 1
Change and Configuration Management
C:\temp\Risks - Change & Configuration Management.doc
IP 14/10/2003 11:49 AM
All system changes should be managed and controlled, and result inoutputs that are acceptable to the business.
Control objective Controls Workbook
1. Changes to IT systemsshould be controlled onthe basis of defined procedures
Have the procedures for changing ICT systems –- been documented? - received appropriate
authorisation?
How are the procedures kept up-to-date?
In respect of major changes,do the procedures addresstraining needs?
Risks – system malfunctionor failure due to –- uncontrolled change- unauthorised change
Discussion on –- time, cost and quality - the risks inherent in
changing IT systems- configuration management - documentation and
document management
-training
2. Changes should specify the components to bechanged, and also theversion where multipleversions exist
How do management ensurethat only the correct systemcomponents -- are changed? - are installed following
change?
Discussion on –- scoping changes- version control
3. The risks associated with change proposalsshould be assessed and managed
How do management –- assess the risk inherent in
change proposals? - act on risk assessments?
-establish whether a changehas been successful?
- restore stability following anunsuccessful change?
Discussion on –- categorising system
changes- impact analysis
-regression plans
8/8/2019 Risks - Change & Configuration Management
http://slidepdf.com/reader/full/risks-change-configuration-management 2/4
Part 1
Change and Configuration Management
2
Control objective Controls Workbook
4. System changes should be authorised at anappropriate level of management
Have top management defined delegated powers toauthorise system changes?
Are changes to applicationsystems authorised by end-user management?
Are end users consulted on proposed changes to the IT infrastructure?
Discussion on –- delegated authority - System Ownership- end-user participation
5. Due regard should be paid to an effectiveseparation of roles inmanaging changes
Is there an effectiveseparation between thefunctions of –- authorising a change? - recording a change? - building a change? - implementing a change? - quality control?
Does an effective separationof roles apply to emergency changes?
Discussion on the need for separation of roles in thechange management cycle
Emergency change procedures
8/8/2019 Risks - Change & Configuration Management
http://slidepdf.com/reader/full/risks-change-configuration-management 3/4
Part 1
Change and Configuration Management
3
Control objective Controls Workbook
6. Authorised changesshould be managed tocompletion
Are all system changesrecorded? Are all steps withinthe change control procedurerecorded?
Are change records retained for audit?
Does each change have an“owner” or “sponsor” to takekey decisions?
Are authorised changes planned and scheduled according to business need?
How do management ensurethat all scheduled changesare actually carried out?
How are unsuccessful changes dealt with?
What ensures that systemchanges do not bypass the
approved procedure?
Discussion on –- recording changes- back-tracking and auditing - ownership of changes- planning and scheduling - control over re-work - unauthorised changes- training - priority
7. Emergency changesshould comply withnormal changemanagement requirements as soon as possible
How do management ensurethat emergency changes –- are implemented without
delay? - are of appropriate quality? - do not result in abuse of the
change control system?
Emergency change procedures – quality and security implications
8/8/2019 Risks - Change & Configuration Management
http://slidepdf.com/reader/full/risks-change-configuration-management 4/4
Part 1
Change and Configuration Management
4
Control objective Controls Workbook
8. Changed componentsshould be fit for business use
How do management ensurethat system changes comply with the appropriatedevelopment standards?
How do management ensurethat system changes are of acceptable quality to end-users?
Does quality review includeall appropriate documentary
changes?
Are changes reviewed following live implementation? How would management detect unauthorised components incorporated within an authorised change?
Discussion on –- technical testing - user acceptance testing - system performance- documentation- post implementation review - “Trojan Horse”/computer
virus
9. Configuration itemsshould be recorded accurately
Is the system configurationrecorded in respect of –- hardware?
-software?
- documentation? - data communications
equipment?
Are the recordscomprehensive?
How do management ensurethat configuration records are promptly updated to reflect system changes?
How do management protect the records from unauthorised change?
How do management ensurethe records are realistic?
Discussion on –
- configuration management
- unauthorised change
- configuration auditing