8/8/2019 Risks - Change & Configuration Management

http://slidepdf.com/reader/full/risks-change-configuration-management 1/4

Part 1

Change and Configuration Management

C:\temp\Risks - Change & Configuration Management.doc

IP 14/10/2003 11:49 AM 

All system changes should be managed and controlled, and result inoutputs that are acceptable to the business.

Control objective Controls Workbook 

1. Changes to IT systemsshould be controlled onthe basis of defined  procedures

Have the procedures for changing ICT systems –- been documented? - received appropriate

authorisation? 

How are the procedures kept up-to-date? 

In respect of major changes,do the procedures addresstraining needs? 

Risks – system malfunctionor failure due to –- uncontrolled change- unauthorised change

Discussion on –- time, cost and quality - the risks inherent in

changing IT systems- configuration management - documentation and 

document management 

-training 

2. Changes should specify the components to bechanged, and also theversion where multipleversions exist 

How do management ensurethat only the correct systemcomponents -- are changed? - are installed following 

change? 

Discussion on –- scoping changes- version control 

3. The risks associated with change proposalsshould be assessed and managed 

How do management –- assess the risk inherent in

change proposals? - act on risk assessments? 

-establish whether a changehas been successful? 

- restore stability following anunsuccessful change? 

Discussion on –- categorising system

changes- impact analysis

-regression plans

8/8/2019 Risks - Change & Configuration Management

http://slidepdf.com/reader/full/risks-change-configuration-management 2/4

Part 1

Change and Configuration Management

2

 

Control objective Controls Workbook 

4. System changes should be authorised at anappropriate level of management 

Have top management defined delegated powers toauthorise system changes? 

 Are changes to applicationsystems authorised by end-user management? 

 Are end users consulted on proposed changes to the IT infrastructure? 

Discussion on –- delegated authority - System Ownership- end-user participation

5. Due regard should be paid to an effectiveseparation of roles inmanaging changes

Is there an effectiveseparation between thefunctions of –- authorising a change? - recording a change? - building a change? - implementing a change? - quality control? 

Does an effective separationof roles apply to emergency changes? 

Discussion on the need for separation of roles in thechange management cycle

Emergency change procedures

8/8/2019 Risks - Change & Configuration Management

http://slidepdf.com/reader/full/risks-change-configuration-management 3/4

Part 1

Change and Configuration Management

3

 

Control objective Controls Workbook 

6. Authorised changesshould be managed tocompletion

 Are all system changesrecorded? Are all steps withinthe change control procedurerecorded? 

 Are change records retained for audit? 

Does each change have an“owner” or “sponsor” to takekey decisions? 

 Are authorised changes planned and scheduled according to business need? 

How do management ensurethat all scheduled changesare actually carried out? 

How are unsuccessful changes dealt with? 

What ensures that systemchanges do not bypass the

approved procedure? 

Discussion on –- recording changes- back-tracking and auditing - ownership of changes-  planning and scheduling - control over re-work - unauthorised changes- training -  priority 

7. Emergency changesshould comply withnormal changemanagement requirements as soon as possible

How do management ensurethat emergency changes –- are implemented without 

delay? - are of appropriate quality? - do not result in abuse of the

change control system? 

Emergency change procedures – quality and security implications

8/8/2019 Risks - Change & Configuration Management

http://slidepdf.com/reader/full/risks-change-configuration-management 4/4

Part 1

Change and Configuration Management

4

 

Control objective Controls Workbook 

8. Changed componentsshould be fit for business use

How do management ensurethat system changes comply with the appropriatedevelopment standards? 

How do management ensurethat system changes are of acceptable quality to end-users? 

Does quality review includeall appropriate documentary 

changes? 

 Are changes reviewed following live implementation?  How would management detect unauthorised components incorporated within an authorised change? 

Discussion on –- technical testing - user acceptance testing - system performance- documentation-  post implementation review - “Trojan Horse”/computer 

virus

9. Configuration itemsshould be recorded accurately 

Is the system configurationrecorded in respect of –- hardware? 

-software? 

- documentation? - data communications

equipment? 

 Are the recordscomprehensive? 

How do management ensurethat configuration records are promptly updated to reflect system changes? 

How do management protect the records from unauthorised change? 

How do management ensurethe records are realistic? 

Discussion on –

- configuration management 

- unauthorised change

- configuration auditing