• image description

Enforcing IT Change Management Policy

Source:
Security
Published:
Apr 13, 2009
Pages:
8

The Greeks knew long ago that it is impossible to step into the same river twice. Fast-forward from ancient Greece to our technology-driven century, and change occurs so rapidly it is difficult to manage. Managing change is one of the most difficult challenges that IT organizations face, and to effectively support and facilitate enterprise business goals, IT must also continually change. Sometimes these changes are significant, as in upgrading a network. Some changes are almost imperceptible, occurring without fanfare as services evolve and underlying IT infrastructure is maintained.

While  planned,  authorized  changes  have  obvious  benefits  to  systems  or  users,  unknown  and  even  imperceptible changes can result in serious negative impact to IT systems and processes. IT organizations are responsible for a complex structure of  "systems of systems," all of which must work together to deliver quality information and communication services.

Each "service" requires a specific, integrated "stack" of systems-such as applications, databases, middleware, directory services, operating systems, and networks-in order to successfully deliver a set of functions or processes. The unique behavior and state of each system in a stack is determined by a multitude of elements, such as file systems and their attributes, configuration settings, users, and permissions.

This complexity means  that changes  in  the  IT  infrastructure can potentially affect every part of a business operation, posing various degrees of risk to the enterprise. For example, an unauthorized change to firewall settings can result in serious vulnerabilities that not only threaten data and disrupts revenue-generating services, but that can also  imperil compliance with regulatory requirements.

Change must be controlled to mitigate the inherent risk to IT's compliance, service quality, and security posture. Indeed, national and local laws, as well as private contractual arrangements, demand that organizations deploy effective controls on their IT infrastructures. One form of control is developing change management processes.

These processes are often based on best practices, such as the IT Infrastructure Library (ITIL), and supported by an array of system management techniques, tools, procedures, and policies that together help define the organization's change management process.

Having processes in place is not enough, however. Change management policies and controls must be systematically evaluated and enforced. If they are not, companies experience:

  • Control deficiencies that can result in poor audit findings, potential fines, and other disciplinary measures
  • Difficulty and higher costs to prepare for audits
  • Service outages, unplanned work, and delayed delivery of strategic projects resulting from unauthorized and undocumented changes
  • Increased risk and security vulnerabilities
  • A lack of assurance about system security and data integrity
To download the full whitepaper/case study, please provide the following information:

Other Security White Papers

Re-engineering Legacy to Web Application

Reengineering of software is described as the examination and alteration of a system to reconstitute in a new form. The approach is to renovate and extend the current application into new technology to best support the needs of the current business. Application modernization should be achieved by leveraging the existing investment in application infrastructure and reposition the product advantageously for the future. The challenge on hand is to convert legacy application to web application by reengineering legacy components to re-usable components. The web application can be easily integrated with web technologies.

View all White Papers by Security