Scribd Logo
Upload

Welcome to Scribd!

  • Risks - Change & Configuration Management

    Uploaded by

    Sadhanandavel Ramdoss
    41 views4 pages
    Changes to IT systems should be controlled on the basis of defined procedures. System malfunction or failure due to - - uncontrolled change. Risks associated with change proposals should be assessed and managed. How do management ensure that only the correct system components - are changed? - are installed following change? - establish whether a change has been successful? - restore stability following an unsuccessful change?

    Original Description:

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Changes to IT systems should be controlled on the basis of defined procedures. System malfunction or failure due to - - uncontrolled change. Risks associated with change proposals should be assessed and managed. How do management ensure that only the correct system components - are changed? - are installed following change? - establish whether a change has been successful? - restore stability following an unsuccessful change?

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    41 views4 pages

    Risks - Change & Configuration Management

    Uploaded by

    Sadhanandavel Ramdoss
    Changes to IT systems should be controlled on the basis of defined procedures. System malfunction or failure due to - - uncontrolled change. Risks associated with change proposals should be assessed and managed. How do management ensure that only the correct system components - are changed? - are installed following change? - establish whether a change has been successful? - restore stability following an unsuccessful change?

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 4

    Part 1

    Change and Configuration Management


    All system changes should be managed and controlled, and result in
    outputs that are acceptable to the business.

    Control objective Controls Workbook


    1. Changes to IT systems Have the procedures for Risks – system malfunction
    should be controlled on changing ICT systems – or failure due to –
    the basis of defined - been documented? - uncontrolled change
    procedures - received appropriate - unauthorised change
    authorisation?
    Discussion on –
    How are the procedures kept - time, cost and quality
    up-to-date? - the risks inherent in
    changing IT systems
    In respect of major changes, - configuration management
    do the procedures address - documentation and
    training needs? document management
    - training

    2. Changes should specify How do management ensure Discussion on –


    the components to be that only the correct system - scoping changes
    changed, and also the components - - version control
    version where multiple - are changed?
    versions exist - are installed following
    change?

    3. The risks associated How do management – Discussion on –


    with change proposals - assess the risk inherent in - categorising system
    should be assessed and change proposals? changes
    managed - act on risk assessments? - impact analysis
    - establish whether a change - regression plans
    has been successful?
    - restore stability following an
    unsuccessful change?

    C:\temp\Risks - Change & Configuration Management.doc


    IP 14/10/2003 11:49 AM
    Part 1
    Change and Configuration Management

    Control objective Controls Workbook


    4. System changes should Have top management Discussion on –
    be authorised at an defined delegated powers to - delegated authority
    appropriate level of authorise system changes? - System Ownership
    management - end-user participation
    Are changes to application
    systems authorised by end-
    user management?

    Are end users consulted on


    proposed changes to the IT
    infrastructure?

    5. Due regard should be Is there an effective Discussion on the need for


    paid to an effective separation between the separation of roles in the
    separation of roles in functions of – change management cycle
    managing changes - authorising a change?
    - recording a change? Emergency change
    - building a change? procedures
    - implementing a change?
    - quality control?

    Does an effective separation


    of roles apply to emergency
    changes?

    2
    Part 1
    Change and Configuration Management

    Control objective Controls Workbook


    6. Authorised changes Are all system changes Discussion on –
    should be managed to recorded? Are all steps within - recording changes
    completion the change control procedure - back-tracking and auditing
    recorded? - ownership of changes
    - planning and scheduling
    Are change records retained - control over re-work
    for audit? - unauthorised changes
    - training
    Does each change have an - priority
    “owner” or “sponsor” to take
    key decisions?

    Are authorised changes


    planned and scheduled
    according to business need?

    How do management ensure


    that all scheduled changes
    are actually carried out?

    How are unsuccessful


    changes dealt with?

    What ensures that system


    changes do not bypass the
    approved procedure?

    7. Emergency changes How do management ensure Emergency change


    should comply with that emergency changes – procedures – quality and
    normal change - are implemented without security implications
    management delay?
    requirements as soon as - are of appropriate quality?
    possible - do not result in abuse of the
    change control system?

    3
    Part 1
    Change and Configuration Management

    Control objective Controls Workbook


    8. Changed components How do management ensure Discussion on –
    should be fit for that system changes comply - technical testing
    business use with the appropriate - user acceptance testing
    development standards? - system performance
    - documentation
    How do management ensure - post implementation review
    that system changes are of - “Trojan Horse”/computer
    acceptable quality to end- virus
    users?

    Does quality review include


    all appropriate documentary
    changes?

    Are changes reviewed


    following live implementation?

    How would management


    detect unauthorised
    components incorporated
    within an authorised change?

    9. Configuration items Is the system configuration Discussion on –


    should be recorded recorded in respect of – - configuration management
    accurately - hardware?
    - unauthorised change
    - software?
    - configuration auditing
    - documentation?
    - data communications
    equipment?

    Are the records


    comprehensive?

    How do management ensure


    that configuration records are
    promptly updated to reflect
    system changes?

    How do management protect


    the records from unauthorised
    change?

    How do management ensure


    the records are realistic?

    You might also like