Change management auditing

Change management auditing

Change management is an auditing procedure for mitigating risks associated with the changes made to an IT system. Limiting unauthorized changes and having proper segregation of duties controls in place is essential to reduce the risk of implementing IT changes into production environments which could contain untested errors, malicious code, segregation of duties violations, any of which could ultimately result in negatively impacting critical IT systems for a company. Change management is an essential component to a company's IT security.

Contents

Change risks

Proper change control auditing can mitigate the following risks:

  • Security features of the network turn off.
  • Harmful code is distributed to users.
  • Sensitive data is lost or becomes insecure.
  • Financial report errors occur.

Control procedure

The following features are commonly part of a change management auditing procedure:

Change management procedures are formally documented and controlled.
Changes are requested in a formal process.
Requests are recorded and stored for reference.
The effect of the requested change is assessed.
Each change is assessed based on its projected effect to the computer system and business operations. The assessment is documented with the request.
Priority is based on urgency, potential benefits, and the ease with which changes can be corrected.
Controls are imposed on changes.
Changes are limited by automated or manual controls. In particular, unauthorized changes are periodically searched for.
An emergency change process is in place.
Policies clearly define emergency changes. Generally, these are errors that significantly impair system function and business operations, increase the system's vulnerability, or both. Emergency changes override some, but not all, controls. For instance, a proposed change might be documented, but not permitted without authorization.
Change documentation is periodically updated.
Maintenance tasks and changes are recorded.
Controls are applied to new software releases.
For security, new software releases often require controls such as back ups, version control, and a secure implementation.
Software distribution is assessed for compliance.
Software distribution is assessed for compliance with licence agreements. Noncompliance can have disastrous financial and legal results.
Changes are submitted for approval.
Proposed changes are submitted for approval after auditors have reviewed the required resources, other changes, the effect, urgency, and the system's stability.
Duties are separated
Responsibility for creation, approval, and application are assigned to different personnel to avoid undesired changes.
Changes are reviewed.
Changes are monitored to assess the efficacy of change management policies.

See also

External links


Wikimedia Foundation. 2010.

Игры ⚽ Нужно сделать НИР?

Look at other dictionaries:

  • Change management analyst — A change management analyst is responsible for auditing and evaluating the change management process of a business.[citation needed] Change management is aimed at helping system users to adopt the new system and use it productively. The role of… …   Wikipedia

  • Management consulting — indicates both the industry and practice of helping organizations improve their performance primarily through the analysis of existing organizational problems and development of plans for improvement. Organizations hire the services of management …   Wikipedia

  • Management accounting — Accountancy Key concepts Accountant · Accounting period · Bookkeeping · Cash and accrual basis · Cash flow management · Chart of accounts  …   Wikipedia

  • Project management — is the discipline of planning, organizing, securing, and managing resources to achieve specific goals. A project is a temporary endeavor with a defined beginning and end (usually time constrained, and often constrained by funding or deliverables) …   Wikipedia

  • Software configuration management — In software engineering, software configuration management (SCM) is the task of tracking and controlling changes in the software. Configuration management practices include revision control and the establishment of baselines.SCM concerns itself… …   Wikipedia

  • Operational risk management — See also: Risk management The term Operational Risk Management (ORM) is defined as a continual cyclic process which includes risk assessment, risk decision making, and implementation of risk controls, which results in acceptance, mitigation, or… …   Wikipedia

  • Enterprise content management — (ECM) is a set of technologies used to capture, store, preserve and deliver content and documents and content related to organizational processes. ECM tools and strategies allow the management of an organization s unstructured information,… …   Wikipedia

  • Infrastructure Asset Management — is the discipline of managing infrastructure assets that underpin an economy, such as roading, water supply, wastewater, stormwater, power supply, flood management, recreational and other assets. In the past these assets have typically been owned …   Wikipedia

  • Kellogg School of Management — Coordinates: 42°03′02″N 87°40′30″W / 42.05045°N 87.67507°W / 42.05045; 87.67507 …   Wikipedia

  • Records management — Records management, or RM, is the practice of maintaining the records of an organization from the time they are created up to their eventual disposal. This may include classifying, storing, securing, and destruction (or in some cases, archival… …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”