Change management auditing

From Wikipedia, the free encyclopedia

All or part of this article may be confusing or unclear. Please help clarify the article. Suggestions may be on the talk page. (December 2006)

This article or section appears to contain a large number of buzzwords. Please help rewrite this article to make it more concrete and meaningful.

This article or section is in need of attention from an expert on the subject. WikiProject Computer science or the Computer science Portal may be able to help recruit one. If a more appropriate WikiProject or portal exists, please adjust this template accordingly.

This article needs additional citations for verification. Please help improve this article by adding reliable references. Unsourced material may be challenged and removed. (July 2007)

Change management auditing is an information technology (IT) procedure for limiting unauthorized changes and errors to computer systems and disruptions to a company's IT assets, computer applications, and operating systems. A change management control system has specific procedures that define analysis, application, and review of changes to the computer infrastructure. Change management is therefore important to a company's IT security.

Contents 1 Change risks 2 Control procedure 3 See also 4 External links

[edit] Change risks

Proper change control auditing can mitigate the following risks:

• Security features of the network turn off.
• Harmful code is distributed to users.
• Sensitive data is lost or becomes insecure.
• Financial report errors occur.

[edit] Control procedure

The following features are commonly part of a change management auditing procedure:

Change management procedures are formally documented and controlled.

Changes are requested in a formal process.

Requests are recorded and stored for reference.

The effect of the requested change is assessed.

Each change is assessed based on its projected effect to the computer system and business operations. The assessment is documented with the request.

Priority is based on urgency, potential benefits, and the ease with which changes can be corrected.

Controls are imposed on changes.

Changes are limited by automated or manual controls. In particular, unauthorized changes are periodically searched for.

An emergency change process is in place.

Policies clearly define emergency changes. Generally, these are errors that significantly impair system function and business operations, increase the system's vulnerability, or both. Emergency changes override some, but not all, controls. For instance, a proposed change might be documented, but not permitted without authorization.

Change documentation is periodically updated.

Maintenance tasks and changes are recorded.

Controls are applied to new software releases.

For security, new software releases often require controls such as back ups, version control, and a secure implementation.

Software distribution is assessed for compliance.

Software distribution is assessed for compliance with licence agreements. Noncompliance can have disastrous financial and legal results.

Changes are submited for approval.

Proposed changes are submitted for approval after auditors have reviewed the required resources, other changes, the effect, urgency, and the system's stability.

Duties are separated

Responsibility for creation, approval, and application are assigned to different personnel to avoid undesired changes.

Changes are reviewed.

Changes are monitored to assess the efficacy of change management policies.

[edit] See also

• Change management
• Information technology audit
• Information technology audit - operations

[edit] External links

• International Organization for Standardization (ISO)
• Information Systems Audit and Control Association (ISACA)