The Greeks knew long ago that it is impossible to step into the same river twice. Fast-forward from ancient Greece to our technology-driven century, and change occurs so rapidly it is difficult to manage. Managing change is one of the most difficult challenges that IT organizations face, and to effectively support and facilitate enterprise business goals, IT must also continually change. Sometimes these changes are significant, as in upgrading a network. Some changes are almost imperceptible, occurring without fanfare as services evolve and underlying IT infrastructure is maintained.

Infrastructure Complexity Magnifies the Impact of Change
While planned, authorized changes have obvious benefits to systems or users, unknown and even imperceptible changes can result in serious negative impact to IT systems and processes. IT organizations are responsible for a complex structure of "systems of systems,"all of which must work together to deliver quality information and communication services. Each "service" requires a specific, integrated "stack" of systems-such as applications, databases, middleware, directory services, operating systems, and networks-in order to successfully deliver a set of functions or processes. The unique behavior and state of each system in a stack is determined by a multitude of elements, such as file systems and their attributes, configuration settings, users, and permissions. This complexity means that changes in the IT infrastructure can potentially affect every part of a business operation, posing various degrees of risk to the enterprise. For example, an unauthorized change to firewall settings can result in serious vulnerabilities that not only threaten data and disrupts revenue-generating services, but that can also imperil compliance with regulatory requirements.

Instilling Change Controls
Change must be controlled to mitigate the inherent risk to IT's compliance, service quality, and security posture. Indeed, national and local laws, as well as private contractual arrangements, demand that organizations deploy effective controls on their IT infrastructures. One form of control is developing change management processes. These processes are often based on best practices, such as the IT Infrastructure Library (ITIL), and supported by an array of system management techniques, tools, procedures, and policies that together help define the organization's change management process.

Having processes in place is not enough, however. Change management policies and controls must be systematically evaluated and enforced. If they are not, companies experience:

• Control deficiencies that can result in poor audit findings, potential fines, and other disciplinary measures
• Difficulty and higher costs to prepare for audits
• Service outages, unplanned work, and delayed delivery of strategic projects resulting from unauthorized and undocumented changes
• Increased risk and security vulnerabilities
• A lack of assurance about system security and data integrity