Tackling the complexity

The Cobit 4.1 framework has 34 IT Processes that are often used to establish effective IT controls. These controls are organized into four major categories:

1. Plan and Organize (e.g. Defining a Strategic Plan)
2. Acquire and Implement (e.g. Acquire and Maintain Application Software)
3. Deliver and Support (e.g. Define and Manage Service Levels)
4. Monitor and Evaluate (e.g. Monitor and Evaluate IT Performance)

In this article we will closely examine one of the Cobit 4.1 IT Processes, from the “Acquire and Implement” category, and explain exactly how it can be implemented.

For example, the AI6 – Manage Changes IT Process is an essential control that must be implemented successfully in any IT compliance effort. The Cobit framework explains this control as follows:

“All changes, including emergency maintenance and patches, relating to infrastructure and applications within the production environment are formally managed in a controlled manner. Changes (including those to procedures, processes, system and service parameters) are logged, assessed and authorised prior to implementation and reviewed against planned outcomes following implementation. This assures mitigation of the risks of negatively impacting the stability or integrity of the production environment.”

Achieving control over the IT Process of Managing Changes can be accomplished by:

1. Defining and communicating change procedures, including emergency changes

2. Assessing, prioritizing and authorizing changes

3. Tracking status and reporting on changes

However, understanding exactly how to implement this control can be complicated and being successful may take a considerable amount of effort. The Cobit framework notes that focus should be placed on the following:

1. controlling impact assessment, authorization and implementation of all changes to the IT infrastructure, applications and technical solutions

2. minimizing errors due to incomplete request specifications

3. halting implementation of unauthorized changes

A key to understanding exactly how to implement the IT Process of “Manage Changes” is to analyze and implement each of the Cobit control practices described below. Each of the Control Practices indicate specific tasks that need to be accomplished as part of implementing the Change Management control:


Change Standards and Procedures

1. Develop, document and promulgate a change management framework that specifies the policies and processes including:

• Roles and responsibilities
• Classification and prioritization of all changes based on business risk
• Assessment of impact
• Authorization and approval of all changes by the business process owners and IT
• Tracking and status of changes
• Impact on data integrity (e.g., all changes to data files being made under both system and application control rather than by direct user intervention)

2. Establish and maintain version control over all changes.

3. Implement roles and responsibilities that involve business process owners and appropriate technical IT functions. Ensure appropriate segregation of duties.

4. Establish appropriate record management practices and audit trails to record key steps in the change management process. Ensure timely closure of changes. Elevate and report to management changes that are not closed in a timely fashion.

5. Consider the impact of contracted services providers (e.g., of infrastructure, application development and shared services) on the change management process. Consider integration of organizational change management processes with change management processes of service providers. Consider the impact of the organizational change management process on contractual terms and SLAs.

Impact Assessment, Prioritization and Authorization

1. Develop a process to allow business process owners and IT to request changes to infrastructure, systems or applications. Develop controls to ensure that all such changes arise only through the change request management process.

2. Categorize all requested changes (e.g., infrastructure, operating systems, networks, application systems, purchased/packaged application software).

3. Prioritize all requested changes. Ensure that the change management process identifies both the business and technical needs for the change. Consider legal, regulatory and contractual reasons for the requested change.

4. Assess all requests in a structured fashion. Ensure that the assessment process addresses impact analysis on infrastructure, systems and applications. Consider security, legal, contractual and compliance implications of the requested change. Consider also interdependencies amongst changes. Involve business process owners in the assessment process, as appropriate.

5. Ensure that each change is formally approved by business process owners and IT technical stakeholders, as appropriate.

Emergency Changes

1. Ensure that a documented process exists within the overall change management process to declare, assess, authorize and record an emergency change.

2. Ensure that emergency changes are processed in accordance with the emergency change element of the formal change management process.

3. Ensure that all emergency access arrangements for changes are appropriately authorized, documented and revoked after the change has been applied.

4. Conduct a post-implementation review of all emergency changes, involving all concerned parties. The review should consider implications for aspects such as further application system maintenance, impact on development and test environments, application software development quality, documentation and manuals, and data integrity.

Change Status Tracking and Reporting

1. Establish a process to allow requestors and stakeholders to track the status of requests throughout the various stages of the change management process.

2. Categorize change requests in the tracking process (e.g., rejected, approved but not yet initiated, approved and in process, and closed).

3. Implement change status reports with performance metrics to enable management review and monitoring of both the detailed status of changes and the overall state (e.g., aged analysis of change requests). Ensure that status reports form an audit trail so changes can subsequently be tracked from inception to eventual disposition.

4. Monitor open changes to ensure that all approved changes are closed in a timely fashion, depending on priority.

Change Closure and Documentation

1. Ensure that documentation—including operational procedures, configuration information, application documentation, help screens and training materials—follows the same change management procedure and is considered to be an integral part of the change.

2. Consider an appropriate retention period for change documentation and pre- and post-change system and user documentation.

3. Update business processes for changes in hardware or software to ensure that new or improved functionality is used.

4. Subject documentation to the same level of testing as the actual change.

Challenges to implementation

There are any number of reasons why managers might have difficulty implementing any one of these controls. For example, implementing a change management framework can result in significant organizational resistance to change. In future articles we will discuss exactly how to overcome these and other challenges.
 

Conclusion

The Cobit 4.1 framework provides detailed information on exactly how to implement IT controls that enable organizations to meet their compliance goals. The key to effectively using this framework is to operationalize each of these controls into specific tasks that can be implemented in the organization. Investing the time and effort to implement effective IT compliance controls can result in significant value for you and your organization.

Trackback(0)

TrackBack URI for this entry

Comments (0)

Subscribe to this comment's feed

Write comment