Control of the Week #13 – Change Management
This week’s control involves Change Management. Jose Costa (CISO at Tugboat Logic), Harpreet Shergill (Senior Manager, IS Risk & Compliance at Tugboat Logic), Jitendra Juthani (Senior Manager, IS Risk & Compliance), and Chika Nwajagu (Senior Security Analyst at Tugboat Logic) explain why documenting your change management process can be vital to your audit.
Why this control is important
CM1 – Change Management Process – A formal change management process exists that governs changes to the applications and supporting infrastructure. The process document is reviewed by IT management on an annual basis and updated as needed.
Change happens whether we like it or not, and that holds true for an organization’s systems and offerings. Keeping track of these changes might be a tedious task, but critical for knowing when changes happened and who made them. This control involves the formal process that handles changes to applications and other infrastructure in your organization’s systems. This process will be signed off on by an executive team, and reviewed and updated by IT management every year or in case of significant changes (whichever is earlier).
Many changes can apply to this control and cover a wide range of importance and urgency. For example:
- Emergency changes – changes that should be evaluated and implemented as soon as possible after a disaster or a damaging incident. Records of the incident and the solution are critical.
- Standard changes – low-risk changes in which a specific procedure is already documented. These changes can be pre-approved to make the process shorter.
- Major changes – high-risk changes with potential financial consequences. The change request in this case should be comprehensive with appropriate impact assessments, and necessary high level approvals.
- Normal changes – significant changes to a service or IT infrastructure that needs to be reviewed and approved by the change advisory board prior to its implementation.
To summarize, a defined change management process helps organizations to perform changes in a structured, consistent and controlled way. Uncontrolled or poorly managed changes can have major consequences to business, especially if the change leads to any major incident or business-affecting outage. This can be avoided by establishing and implementing the Change Management process to help assess, authorize, and track changes throughout their lifecycle.
How to implement this control for your audits
Auditors will first look for whether a formal change management process exists to govern the changes within the organization. This can be documentation that outlines the process for proposing changes and implementing them. A good way of looking at this process is a cycle of change.
The beginning of this process is critical. When proposing changes, you need to ask where they are coming from, who prioritized the changes and who decides what will be implemented. You need to determine the scope of the change and how the changes will be requested. All these conditions are required to be formally documented in your change management process.
Next, this documented process should guide how you need to look at the impacts these changes might have on your systems. Looking at the risks and potential benefits of the changes will help guide the next step, which would be approval or sign-off by management.
Once the changes have been approved, they need to be implemented with processes in place to provide “breadcrumbs” leading to who made the changes and when. You need to know who is making the changes, who is testing those changes, and who is approving them when they are complete. Authorization requirements of all types of changes along with what type of changes are pre-approved (such as standard changes) are also required to be documented in the change process.
Lastly, keeping records of the changes in your system and the outcomes of those changes will guide the cycle back to the beginning where additional or future changes are being considered. Reviews are needed to ensure that the changes are working as intended. Did these changes mitigate potential risks? Were new risks or issues created? Auditors will especially look for the completeness of your changes. If they see a list of changes, they will want to know if they have all been implemented and tested in your systems.
To summarize, the change management process must cover all stages of change cycle and how changes are managed and handled in each phase.
Other things to consider:
- Think about and document who requested changes to your environment. Was it client driven? Product driven? Planned updates or upgrades? Each type of change will have a different approval rate and framework for implementation.
- Once a change has been documented and assigned, remember to have someone test it to see if it meets security or privacy requirements.
- Impact analysis and risk assessment of your systems will heavily dictate how changes should be implemented.
Overall, the takeaway is good documentation. Beginning to end, ensure that you understand the changes that happened and why. Know who is responsible, where the changes are coming from, who assigned them, and how they are documented. Having a clear answer and the evidence to support it will help you greatly in your audit!