Computer Software, Systems and Networks are complex growing systems.. SOX or not, organizations should always implement change management controls and follow best practices.. Change mana
Trang 1All-In-One Edition
Chapter 18 – Change
Management
Brian E Brzezicki
Trang 2Change Management
Trang 3Computer Software, Systems and Networks are
complex growing systems They constantly evolve and their ability to be understood and recreated as well as proven integrity issues are critical to an
organizations health and security.
Can anyone think of the system they run… what
happens if the building burned down and you had to recreate a system How would you do that if you had
no change control and documentation?
Trang 4Change Management
Whether regulated (ex SOX) or not,
organizations should always implement
change management controls and follow best practices Change management should occur throughout all product, systems, and networks lifecycles This includes
• Software development and revision control
• Network and system configuration
• Software and system patches
Trang 5Change Management Process
1 Request Change
2 Change Management Board approves
Changes (who is that… next)
3 Change is documented
4 Change is tested
5 Change is implemented
6 Change is reported to management
Trang 6Change Control Board
Who might be on the Change Control Board?
• Project Managers
• Network Administrators
• Systems Administrators
• Security Administrators
• Operations Managers
• Help Desk Managers
• Others… as required
Trang 7Separation of Duties
Separation of duties is important to change
management to ensure no party can subvert or skip the change management procedures Some best practices
• Jobs of development, building, and installing
software should be different people
• Software developers should not be part of the
QA/test team
• Software developers should not have access to
install the software on production machines
• System admins should not have access to the
source code
Trang 8Chapter 18 - Review
Q What is the purpose of change control?
Q Why is it important that a developer not
have access to a production system and
data?
Q Why is it important that an admin not have access an applications source code and
compilers?
Q What is regression testing?