Part t-Risk Management and Information Systems Control in Practice 3. Change Management 1 Process Overview, PROCESS OVERVIEW Relevance Process Description Management Practices This section nodes the ange management oes and importance othe acest of busines objectives I shoud be remanbered athe puspoxe of the proces of change Imanagent is alow and manage change where appro, ah alot ent hal cngss ‘ar psformed easel; al as aurizeds ain aecordance wih process of fv prov ‘Changes re necessary o pei upgrades to syns and proces deploy new techno, fix vulnorbiies td add new frien however, change to sytem, networks oj cons nd ines procestes poses a seins rik tote enepie Ax esl of te change, ‘rors maybe introduced it the tem o proves and rate and cuit onl fonlity ‘maybe mpated. The process of change management lp gat the rik tha changes. {0 aformation tems might naginely impact the stably rnp of he produce ‘irnment weaken he control environmen ‘Change management manages all hangs in contol manne, isading saad changes sud emergency maintonnos rating to barnes processes, pplication a infasucte, This Ince charge sandr and proceducs, npc assesment, iron sithonzaion emengeny changes, racking, pring, hose and docuneniatin, The gal of ehage managenent it enable fast and ll diver of change tothe busines nmin of he isk wegatvely impacting the Sabo integrity of te changse Key mangement practices related to change manage re | Balan, pri ad auborize change ros 2 Manage cmergeney chang 3. Track nd eport change shat |. Clos and document the changesIva and authorize Port Risk Management and teformation Systems Control in Practice 3 Change Management . Process Overview 3, prioritize Evalane ll ques for change determine tempat on bins processes ad IT saves, sito scene whether change wiladvesl alle! he operations] em rent and tadice Change requests, umcesabe risk. Ensue that changes ae logge, paced ctor assessed autor, panned and chee, 1 Use formal change rouest tenable busines process ones an Tt request changes + business roves, nasa, systems o applications, Make eth al sch hangs aise cl tough the change rogues! manogerion proses: 2. Categorieal requested changes (eg. tases proces nfs, operating ens, ‘eterks, appli systems, purchcodpeckaped aplication softwar] and lt fet ‘onigunon ms 2 Profi ll requested change based onthe busines and technical requirements resources ogre an the gargs and conc ens forthe requested change 4. lan and exahte all equets ina atte ison Include an pect enalyis om bins roves inasntire,syser an pons, Pines coin plans (ACP), sed Servic providers ensure Bat al flected components hae been entiod son the Ilion of avers affecting he operon erent a the ik of ipleentng the change, Conder security lel contac and complies lian ofthe reauesied ‘hinge. Censider as tersdependensies mong chang. ole Pines proces ours {he assent proces a appropri $. Form approve cok change by basics press comers sevice anager sn T ecinical stakeolder as propria Changes hr ar low-sk and relatively eqn shoul be (rpprvedo sderd changes 6 Plan and schedule ll approved chang. 7 Consider he mpc of eontractd sere presides (bso ines processing infect plication developer an bared servic) on the change antgznen ose hag eben of rae cag arg Pens wh cee ‘2-Manage emergency Corfilly manage coeraency changes to minimize the incidents and make se the change changes, ‘conrad and aes pace secur Verify tat emergency sng ar appropri essed snd suthoraal after th change Related activities nce: [Ermine that x dcament procedar exis to deca, assess, give preliminary approval authorize ale he change an record an emergency ch 2. Ney tt al emergency aco arageren for change te appro authored cue and revoked ae th change hs bee pid. 3. Montorall energency changes, and cont pstinplementaton reviews nosing ll cancer pares. The view should conse and inte crete acm sed on Tsk ‘hist sch a problems with snes proses aplition ysem development nd ranterance developnent a st erenment, documentation rl ars, a (deanery 4 Define win conaints an emergency change.Part IRiek Management and Information Systems Control ‘3 Change Management (can Seas {Track and report _Msinsin racking and eperting system odocent rejected changes, commie the change status sta of aproed and in-process change, and comped changes. Make conan approved nges are mplemete plated Related actos nce: |. Categorize change equss inthe acing pocess (2, ete approved bu a et inka approved and in res, and cosh, 2: Implement change tats opr with perfomance ic to enable management view and mentoring ofboth he dete st charges ar th overall ate (ee aged analysis of ‘hang equs)- Ensure tha sts opr form an aude tal 0 changes can subsequently be {tucked fom inception evel positon 3 Monit open changes 1 eau hat ll aprosed changes are closed i tel fashion, peng ox ec. 4. Minin reg and reprting yee forall hang requests, 44.Close and document _ When hungeaeimplemertod update accordingly the sluion and wer documentation nd the the changes. procctues feted bythe charge. Related acvitis inca: Teclode change to dacunentaton eg, busines nd IT cprational procedures, busines ceiuty er dsaserecvery dcumeniaton, configuration nfrmation, aplication locumetaton, tly serena wing tel) white change management procelie ‘san negra part ofthe change. 2. Define ah apap retin period for change dacamenttion and pre-and post-change system and unr documento, 3. Sujet documento othe tne eel of eview a the val change Relationship to The change managerent proces i fen wed orepira vulnerability or allow upon a Problem Management recommendation ht a finding fom the incident and prion management prmeses. The CCRISC edt aya! o efor to Pat I, chapter Problem Manageme for arti infematon on thi op,2. Change Management cope PAT IIek Management and termaton Systems Contra in Practice C= hx E. RISK MANAGEMENT CONSIDERATIONS Introduction “This section dices risk management practices relied to change management. The flowing poi areas Risk for 1 Gene tas and common vulnerabilities * Generic soa ey ik init (KR) Risk Factors cf acon fsting rk relted to change management ae comply Size complexity, gographi range, ete al fet he eas with which ‘Shange management ca be inpleentod an man + Organivationalstructare instr: sources manggedcutsonrced (psi fii), cnsorced (out ‘Onanizatorl race insured, sourced constant) bed CCntol ervirnment mate, imate, reset ~ Applications sure: sous, purchased of he shelf customized ‘Application ponte: manage a hoc infra) ~—Hardereotwareprchasiog:centalized,decerazed ~Geegaphic lotion ingle nation, multiple loans erations, lbal + System eal The proses seo assess the ee hat ach change han the ore ‘sess pocesss ofthe verse fetinga change cha crcl system may be iit ‘nen the sya cant be ued of tlw te change to be plement + Change management capability Maturity ofthe change manapement process ad th ability omontor, documented authorize change actives + Rate of change The vos ofthe systems and thereof ange obsess roses, systems and poets Generic Threats Generic tires and common vulnerabilities ruta othe change management proces a: ‘and Common *Acange contol prc ta sat weaned or enforced and allows cages Valnerablities ‘sxceptions witht proper revi ad validation «Lack of sear vrnment fr ttng sd developmen, which cases developers and Adhinisatostoest changes dol production + Unauhried changes resting in compromised scity and nasa changes or access tobusness process ani data + Tack of documentation of previous changes to unertand the reason nfs ofthe ange ‘The inability to moto arpistion changes ae busness processes and data "Emergency hanger are not dctmentd the poten fr unatorizal charges © Be Inplementd apart of emergency chang + Configuration dccumcrtion tat does ot eft he caret systen configuration “Tala to moet compinoe requirments access cone, system avalblity .) {Chango esting in bypassing of ect conrols “teased dependence on Key nvidul lack of os-tning or knowledge of ystems “edie ytem avai and pact on perfomance dat changes * Unintended pressing side effets {adres fect ce capa ad performance ofthe infsracte GRISC Roview Monel 2013 288‘Part lt-Riok Management and Information Systems Control In Practice amples of nei ik scenarios road o change manggerent are + Change dos not most bins bjctes “change causes sytem tages everything worked unl the change) {integrity aval cor caused by revised process “Ibo mplement requred changes quickly enough de to inebiy of tomge sunagement procest Nendor pts nt ail eo oases equipment {Change to scope of projects easing poet fale Examples of KRIs are the Number of diryptns or dat rors casey cura ofthe pt of changes + Number ofinedets of aplication ode rete caused by incor change pesictons * Ratio emergency fies ool changes {Number of change requests inthe eke “Time btwsen reese of vedo Ftsh and ell of change “ali document changes vis change management st {Chinas ot formally tasked repo or authored {Number of hung promoted reduction witout management appeal “Percentage of changes viewed with Bons fo feadback andeutomerstsfcton RISC Review Manual 2073Part Risk Management aud tetormation Systeme Control in Prectice 5 Change Manepemenrt F Information Systeme Control Design, Monitoring and Maintenance F. INFORMATION SYSTEMS CONTROL DESIGN, MONITORING AND MAINTENANCE Introduct “Tis scton pov overview of oman control raed tothe chang mar roces. The following pins ar adresse: Ray cool acts, {iS contol meres Key Control Key contol activites fr the following aspects ofthe change management process are described Activities inti soto: + Change sandars and procedures “impact assent, pation authorization “Emergency changes Change sats tacking and reporting * Changs closure and documeaton Key Control ‘Setup foal change managmea rocedres to handle stanbdied mane al oguets ‘Activities elated to (tcluting rnenace sd athe) fr changes fo application, roc prose meters Change Standards andnctwedcconfiguaton,«ytem and service patter and te undrhyng plairns and Procedures ‘Develop document remus change management Famewerk hat spec the policies nd process earng Roles and responses Classification and pitization ofall changes used on busines and sect Acsssment of inpet Authorization and approval fal changes by th busines proces owners am TF Tracking and ato changes, ~The past on data inept (e all changes to a files being made wer system ae pplication conto rte han by dct wer intervention) + Establish and mina version cont evr al changes “enplemet rls and ponies that involve bases proces owner and teeta! fasions wih an aprepeiate segregation of dts. + Eetablsh ceed management practices and adi eo ecord key ep inthe change runagement proces. Ensure nly clos of changes Elevate report o management + Consider the impt of contracted services provers (ef nfs, ppication ‘evlopment an sar secs) on the ange maraement proces itgraion of ‘rpniatenal change managers press ith change management ences sence evade an hepato the organisa change marageet proceso conte terms ad servic eve agreements (SAS). CCRISC Review Manual 2013 2a ‘SACA a ha areaPart I-Riek Management and Information Systems Control in Practice ese "3. Chenge Management Pot Information Systems Contro! Design, Monitoring and Maintenance = Key Control Activites Related (0 Impact Assessment, Prioritization and ‘Authorization Key Control Activities Related to Emergency Changes Assess ll equess for hang aa trwtre way to determine the impact onthe operations system ads funcional. nse ht changes ae ego prize and auhist Devel proces tall business pocest owner anor Tsai equ changes intact, systems crappie Develop control ensure hat al sch changes ae processed nly hough te formal change request managment proces * Categoria quested changes scorn oe or teas afte 6 nsrctr, opcating systems etwork, sppliation systems, purchase packaged application sofas) + Pere al eqesed changes tha the change management proces Henife both the ‘snes wel as technical and scearty ned fr he change. Consider Keg regu nd oneal reasons for th requested change + Aste imc ofall equ na strate ain, The assesment proces shoul aes mpc analysis infastctr, tems and aplicatns, Consider eeu, lel, contact snd conplans implications he requeed change and ako intercerdenies aang changes. Ime business process ownes inthe ase proces, appropri "Estimate th sources nd ie ele ode, es and plement he change andthe impact on current weld + Determine the cegpabl window of dotime for rl ofthe change * Each change shoal! be formally approved by busines process owner an FT tchncl| stele a appropri, Establish a press for defining, eating, testing documenting asesing and authorizing ‘emergency changes thst donot alow te etablihed change proves A documented proms cits within the wel change mangement cess to declare, es, shez and sod an emergeny hangs + Emeensy changes are proces in accordance with he emexgency chang ment of he ‘cel change management Fosse + Etsue hat emergeney acces rangement for changes are appeoriey aie documento ne revoked ar th shang hs been api. + Conta postiplementaton review fal emergeny anges, inoving al conceras ari. The eien should consider implications or ampecs sch a ets application yt Muinenane and input devel + Ensre tht al emperary files noe fo the change re emevo fm poditinsytn Key Control ‘Activities Related to Change Status Tracking and Esai a king and sporting stmt document ese changes, communicate the ats ‘of approved and in-process chang, and camp changes Make cern approved chnges ‘re implementd a planned *Estiah = proces allow racking ofthe sts of oes thoughout vasous age ofthe Reporting hnge management proces. =Iplerent change sats reports wth performance mets enable management view nd rmantonag ofboth the detaiod satus of ange andthe overall se (eg agedarayss of + Monfor open changes otal approve ad compte changes alas in timely fshion, deeming on prio a2 ‘CRISC Review Manual 2013Key Control ‘Whenever ange ar implement update the associated system and user documentation and Activities Related to prosedues accontingy ‘Change Closure and "Ensure hat documentation including operational pocedrs, configuration infomation, Documentation arlistiendocunentation,blpsrsn nd tinng materials follows th same change ‘management pocndie ais considered ob sitar ofthe change + Conder an appropiate retention pein fo change daca ard pre-and pos-hngs ‘stem ad wer documentation «+ Upste basiessprocene or changes in hardware or stare o cnet neoprene functionality is uso + Up bss continuity and dase recor plan whee specpriat 1 Sheet doumentain the sae Jee of esting the acta chane Metres fr Proes Ta rig ie ooo Naas Oe is Current | Prior ‘Prior Prior | anne tot | Pra | root [red =r -2 Ter creed ems ie ee IT mie ats Teron op Rg ee be Percent farses ages Gi eadnate mont asserts Parcert of ta Sages at re ergo es Number of emery charges ot strand ter econ Saker ecto ange on san win communis ‘CRISC Review Manuel 2013 268‘Part Risk Management and Information Systems Control in Practice ‘3 Chenge Management . The Practitioner's Perspective G. THE PRACTITIONER'S PERSPECTIVE Introduction Domain 1— Risk Identification, Assessment and Evaluation Domain 2— Risk Response Domain 3— Risk Monitoring ‘Change managment one ofthe highest risk res thin FT operations. Business processes fexmery performed manually by employees are revised and exerted sing programs implemented by the change maragement proces. The introduction of wnthorzed oF incor designed baie proces ean undermine th reba inti of he ‘sins process, The change manggement proses the primary contol pont fr enerig fhe incpniy of business processes and the ollou ofthe change. fale implemen the change ered could et in dat of processing ingore, ntepton inservice oe Financial penal, The follwing section provides an oerview cf bow the five CRISC domains (ised blow) rate change management i practice: * Domain I—Risk enifcition, Assessnent sn valuation {Domain 2—Risk Response * Dorin 3—Risk Monitoring {Domain 4Infrmaton Systems Coat! Design and implementation * Darin 5—Infrmaton Systems Convo! Montrg and Malatanance ‘The ik identification, asesnent and evaluation proces Key tthe determination of which changes ae mpemnted. The risk proces "Determines te est the change wil ve on core busines stv, ect an the supporting infrastruc «Ents aerate tthe proposed che anise onthe core business roeses| * Manages inttelaonhis wid ater businss processes and poet conequences and hangs othe interficing ster = Ponies proposed tases * Proviee a ars forschediing cures nd implementations Thess practioner shuld oe atention an bow changes ae nil stified an hen need i change managemcat tacking 5)sten, andthe qui ofthe inal sk ‘sesame performed poeta the change projec og aga to develop tam, "hers response wil ead on he is ideation, sess and evasion. Risk response requis forwalaprcch 0 sus, pporunites pd event This wil rsure thar sluon aren alignment wth the busines obetvs. dono eptvely pa hee procese, andre cost-fectne. The following soa be considered "When popring the rik response, seni thers eines ems: Sox f producti, isles of confide informatien, let opportunity oes, lation of reguaory ‘commpliance, = Understnd the busines is appt, seca sevice intrapins, confident of dt, compliance equrements, + Keep be busin sacle prise of iene sks and haw I will espn io Es tht tp ar taken tei and investigate ny anauored changes Risk montcing haste poten to provi management witha erly wring of change ‘management ses. The ie isk ndestors (KR) dscriedprevnsy shoul identi neative ‘tends ne change proces andthe chang projet, which ogre management neni tn follwr-sp, An sie montring proces shuld be implemented provide andthe Stakeholders with an underandng of pen acs, existed irae close ds, mesmo poe and racks reson apd ts rept Irs Paris RISC Review Manuel 2013