Presentation is loading. Please wait.

Presentation is loading. Please wait.

Change and Patch Management Controls

Published byEric Watts Modified over 8 years ago

Similar presentations

Presentation on theme: "Change and Patch Management Controls"— Presentation transcript:

1 Change and Patch Management Controls
Stephanie Tarr

2 Change and patch management
Defined as set of processes executed within the organization’s IT department designed to manage the enhancements, updates, incremental fixes and patches to production systems which include such as application code revisions, system upgrades, infrastructure changes

3 Top 5 Risks Indicators of Poor Change Management
Unauthorized changes Unplanned outages Low change success rate High number of emergency changes Delayed project implementations

4 Why is IT Change important?
Spend less money and IT energy on unplanned work Spend more money on achieving business goals Experience less downtown Install patches with minimum disruption Focus on improvements and less on “putting out fires”

5 Change Management Process
Most organizations have a process but the question is whether it is as effective and efficient as possible as well as is it used for all IT changes. It is the one of the most difficult disciplines to implement due to the cross-functional team applications, developers, IT operations staff, auditors, and business people To ease the process each of the participants roles should be defined in the change management procedures Main goals of better managing an organizations IT changes are to reduce risk, reduce unplanned work, eliminate unintended results, and improve the quality of services for internal and external customers

6 Sarbanes-Oxley Compliance
Uncontrolled changes in the production environment can lead to errors, that if pervasive or critical, might be considered significant deficiencies that must be reported to the organizations audit committee Serious deficiencies also called “material weaknesses” for public companies are required to be disclosed publicly by companies in their filings IT general control (ITGC) weakness is classified as “material weakness” if one or more of the following exists: 1. an application control weakness is caused by or related to, an ITGC weakness is rated as a material weakness 2. ITGC weakness leads to the conclusion that there is a material weakness in the organizations control environment 3. ITGC weakness classified as a significant deficiency remains uncorrected after some reasonable period of time

7 COSO ERM Model for Change Management
Monitoring Information and Communication Control Activities Risk Response Risk Assessment Event Identification Objective Setting Internal Environment

8 Assets subject to Change Management
Hardware's: mainframes, servers, workstations, routers, switches, and mobile devices Software: operating systems and application Information, data, and data structures: files and databases Security controls such as anti-virus software, firewalls, and intrusion protection systems Processes, policies, and procedures Roles/responsibilities such as authorization, authority to act, and access controls

9 Change Management Metrics Metrics and Indicators Guidelines
Number of changes authorized per week, as measured by the change management log of authorized changes Number of actual changes made per week, as measured by detective controls such as monitoring software Change success rate % of time spent on unplanned work High-performing organizations can sustain over 1,000 successful changes per week The number of changes actually implemented for the week should not exceed the number of authorized changes High performing organizations regularly achieve change success rates of 99% Low is better

10 Unplanned work as Indicator of Effective Change Management Process
# of Production X Failed Change % or X Mean Time to Repair = % of Time Spent on Changes Unauthorized changes Unplanned work Failed Change % or Unauthorized Changes: Increase – effective change testing and change scheduling Decrease – management ownership of change process and effective separation of duties Mean Time to Repair: Decrease – Effective communications and monitoring of production changes

11 Common questions by auditors ?
Describe what controls you need in your change management process? What is your acceptable # of unauthorized changes? How disruptive is your patching process? How do you keep overall watch on the health of the process? What is the goal of your process?

12 Change Management Capability Levels
Changes Control the Organization Organization Controls the Changes Reactive Using the Honor System Closed Loop Process Continuously Improving

13 IT Management Necessary Controls
Preventative controls Change authorization (ex. documentation showing the CM process and authorization levels) Separation of duties Detective controls Supervision and monitoring (ex. Changes to production equipment tracked in work logs and change orders) Substantive sampling to audit the accuracy of the reconciliation between production changes and authorized changes Corrective/Recovery Controls Any change outside of the CM process is documented Post-implementation reviews performed

14 Internal Auditor’s Role
1. Understand the basic components of change management and ask questions 2. Assess effectiveness of change management process (perform a walk-through) 3. Obtain IT management scorecard for measuring process effectiveness 4. Determine if IT management has assigned responsibility to someone other than a software developer 5. Determine if audit trails can be manipulated or destroyed 6. Look for the indicators of effective control management with an emphasis on business risks 7. Aid management in improving their approach to change management 8. If outsourcing IT functions determine if the Company’s expectations are identified clearly in the service level agreements and contracts (ex. Who is responsible for day to day requests? Who monitors compliance with the SLAs) 9. Support findings with the business value of effective change management as well as the risks

15 Visible Ops Handbook: Starting ITIL in Four Practical Steps
Stabilize the Patient Find Fragile Artifacts Create a repeatable build library Continual improvements

Download ppt "Change and Patch Management Controls"

Similar presentations

Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems

Control and Accounting Information Systems
Control and Accounting Information Systems

Control and Accounting Information Systems
Auditing Concepts.

Auditing Concepts.
IT Service Delivery And Support Week Twelve IT Auditing and Cyber Security Spring 2014 Instructor: Liang Yao (MBA MS CIA CISA CISSP) 1.

IT Service Delivery And Support Week Twelve IT Auditing and Cyber Security Spring 2014 Instructor: Liang Yao (MBA MS CIA CISA CISSP) 1.
Auditing Computer Systems

Auditing Computer Systems
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
The Islamic University of Gaza

The Islamic University of Gaza
Security Controls – What Works

Security Controls – What Works
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Standar Pekerjaan Lapangan: Pemahaman Memadai atas Pengendalian Intern Pertemuan 5.

Standar Pekerjaan Lapangan: Pemahaman Memadai atas Pengendalian Intern Pertemuan 5.
Chapter 4 Internal Control Bus 319 Accounting Information Systems.

Chapter 4 Internal Control Bus 319 Accounting Information Systems.
Date: 03/05/2007 Vendor Management and Metrics. 2 A.T. Kearney X/mm.yyyy/00000 AT Kearney’s IT/Telecom Vendor Facts IT/Telecom service, software and equipment.

Date: 03/05/2007 Vendor Management and Metrics. 2 A.T. Kearney X/mm.yyyy/00000 AT Kearney’s IT/Telecom Vendor Facts IT/Telecom service, software and equipment.
18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.

18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.
Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES.

Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES.
ITIL: Why Your IT Organization Should Care Service Support

ITIL: Why Your IT Organization Should Care Service Support
INTERNAL CONTROLS. Session Objectives Understand why an organization should have internal controls Understand the key components of internal controls.

INTERNAL CONTROLS. Session Objectives Understand why an organization should have internal controls Understand the key components of internal controls.
Sarbanes-Oxley Project Summary of COSO Framework Presented by Larry Dillehay & Scott Reitan Parkfield Group LLC.

Sarbanes-Oxley Project Summary of COSO Framework Presented by Larry Dillehay & Scott Reitan Parkfield Group LLC.

Similar presentations

Ads by Google