Abstract
As technology plays an ever-increasing role in carrying out structured tasks in today's society, people are given more time to focus their attention on higher levels of service and personal development. However, technology is in a constant state of change and assurance services are needed to help ensure that technology changes are accomplished properly. The Institute of Internal Auditors has identified 10 steps that can be used to effectively implement changes in technology. This process and its accompanying internal controls can be assessed through an internal audit function that considers issues of both functionality and security. In addition, continuous improvement of the change management process for technology can be evaluated though capability/maturity models to see if organizations are achieving higher levels of accomplishment over time. Such models include the COBIT 2019-supported capability maturity model integration (CMMI) model and the cybersecurity maturity model certification (CMMC) framework used by defense industrial base organizations.
TopIntroduction
The technology of today provides organizations with a tremendous ability to store and process information so that people have more time to focus on higher-level activities that are considered to add more value in meeting customer needs. This does not mean that technology once implemented relieves organizations of the need to understand and revise the functioning of computer systems. Current issues of today including privacy of personal data, theft of trade secrets, and safety of company products and services are all affected by the ability of organizations to properly implement changes to the applications that make up today’s technology systems. The following examples illustrate that assurance over technology needs to address both issues of functionality and cybersecurity.
A number of tragic incidents involving computer glitches on the Boeing 737 MAX jet illustrates what can happen when computer software is changed but not adequately tested before being placed into operation. The original issues with the jet resulted from a problem in the plane’s flight control system called MCAS that assisted in maintaining a proper balance of the plane while in flight. The system misfired in a manner that “repeatedly and forcefully pushed the planes’ noses down, overpowering pilot commands and ending in fatal dives.” Since the grounding of the 737 Max, Boeing has been working to revise the software to correct the problem by making such misfires less likely and easier for pilots to counter when they do occur. In their efforts to correct the software, Boeing ran into another glitch that stops the plane’s flight control computers from powering up and confirming that the system is ready for flight. The software fix was originally tested mostly on ground-based simulators, which did not show the power-up problems (Pasztor, 2020).
A recent event at Garmin Ltd., who makes navigation systems for cars, boats, and planes, illustrates that organizations must also be careful to ensure that proper cybersecurity measures are built into their technology. The company’s Garmin Pilot, which provides weather and flight plan data to pilots was recently interrupted when hackers apparently encrypted a few of its systems, but stopped short of a ransomware attack (Choi, 2020).
The ISACA is well known for its development of international information system auditing and control standards. One of their most significant contributions is a continuing project known as the Control Objectives for Information and related Technology (COBIT) framework. The management process of COBIT 2019 contains four domains:
- •
Align, Plan and Organize (APO)
- •
Build, Acquire and Implement (BAI)
- •
Deliver, Service and Support (DSS)
- •
Monitor, Evaluate and Assess (MEA)
COBIT 2019 contains explanations of specific management practices than can be tailored to the development of various objectives that a company may wish to accomplish within each domain. Each organization should decide on its own combination of management practices based on the unique environment in which it operates.
In 2020, The Institute of Internal Auditors issued an updated Global Technology Audit Guide (GTAG) entitled Change and Patch Management Controls Critical for Organizational Success. It contains information to guide internal auditors when working in conjunction with information technology professionals to manage information technology changes. “Change management can be defined as the systematic set of processes that are executed within an organization’s IT function to manage enhancements, updates, installations, implementations, incremental fixes, and patches to production systems. Properly implemented, change management protects the production environment (“live” environment) and provides the organization with a repeatable, measurable, and auditable process that captures all technology-related changes.”
The Cybersecurity Maturity Model Certification (CMMC) Framework requires organizations in the Defense Industrial Base sectors to remain in compliance with mandatory practices, procedures, and capabilities to confront evolving cyber threats and intrusions. The chapter will visit this framework and consider its implications to change management as it applies to organizations working with the U.S. Department of Defense.
Key Terms in this Chapter
Patch Management: A systematic approach to acquiring, validating, implementing, and deploying a system patch.
Change Management: A disciplined approach to controlling change and its intended or unintended effects.
Internal Controls: Systematic measures instituted by an organization to ensure the integrity of its operations.
Risk Management: A systematic approach to identifying threats and controlling the impact of uncertain events as a consequence of their realization.
Compliance: The state of complying with all rules, laws, regulations, standards, and ethical practices that apply to the organization.
Maturity Level: The degree of the formality and optimization of a process.