Abstract
Situations such as improvements in business transaction processing and various security issues keep today's information systems in a constant state of change. Serious disruption of company operations can occur when changes are improperly planned and/or carried out. In addition to technological issues, an equally important consideration is in regard to how information system changes will affect organizational personnel. The Institute of Internal Auditors has identified seven steps that can be used to effectively implement change in an information system environment. This along with a discussion of significant issues in managing system patches provides an appropriate background to consider a model for evaluating the maturity of an organization's change management process in an information system environment. The highly respected COBIT guidance from the ISACA is included throughout much of the discussion to provide support for many of the suggested change management practices.
TopIntroduction
In the rapidly changing world of information technology it is imperative that organizations maintain a constant vigilance to ensure that their computer systems stay up-to-date. Some common problems in applying change management to an information system environment are delays in implementing software updates and the errors occurring during the update process. Schmidt and White (2017) point out that it is commonly understood that any significant piece of software has vulnerabilities that will eventually be discovered and require an update to correct them. For the average person, this can be as simple as pressing a button to agree to the update. However, it is common for many companies to make use of a complicated set of interacting software components where changing one thing can affect the system in a variety of unanticipated ways. In such situations, companies lacking sufficient financial resources and/or expertise may be more likely to postpone system changes.
A recent hacking of the personal data of approximately 143 million persons at Equifax illustrates what can happen when a company uses software that has known security weaknesses that are not addressed in a timely manner. As is true with many Fortune 100 firms, Equifax made use of an open-source software to run parts of its website. One explanation for the security breach suggests that Equifax had a history of outsourcing software development to off-shore locations with no one internally who had any significant experience with software that needed updating (Schmidt and White, 2017). However, software issues can also be attributed situations where incorrect changes are made to address a vulnerability or make an improvement. For example, Goldman Sachs ended up paying a $7 million penalty that resulted from a software configuration error that mistakenly “converted the firm’s ‘contingent orders’ for various options series into live orders and assigned them all a price of $1.” The Securities and Exchange Commission (SEC) determined that “Goldman’s written policies relating to the implementation of software changes did not require several precautionary steps that, if taken, would likely have prevented the erroneous options incident (SEC, 2015).”
The ISACA is well known for its development of international information system auditing and control standards. One of their most significant contributions is a continuing project known as the Control Objectives for Information and related Technology (COBIT) framework. COBIT 5 “helps enterprises create optimal value from information technology (IT) by maintaining a balance between realizing benefits and optimizing risk levels and resource use.” The management process of COBIT 5 contains four domains:
- •
Align, Plan and Organize (APO)
- •
Build, Acquire and Implement (BAI)
- •
Deliver, Service and Support (DSS)
- •
Monitor, Evaluate and Assess (MEA)
COBIT 5 contains explanations of specific management practices than can be tailored to the development of various objectives that a company may wish to accomplish within each domain. COBIT 5 states that “each enterprise must define its own process set, taking into account its specific situation.” In addition, the ISACA provides a process capability model in COBIT 5 that possesses some overlap with the maturity model of COBIT 4.1 (ISACA, 2012a).
The Institute of Internal Auditors (2012) issued an updated Global Technology Audit Guide (GTAG) entitled Change and Patch Management Controls Critical for Organizational Success. It contains information to guide internal auditors when working in conjunction with information technology professionals to manage information system changes. The concepts of change and patch management include processes “designed to manage the enhancements, updates, incremental fixes, and patches to production systems.”
Key Terms in this Chapter
Patch Management Process: A process that involves the acquisition, testing, and deployment of system or application updates.
Detective Controls: Controls put in place to identify errors or irregularities that have occurred.
Control Procedures: Policies put in place to aid in the mitigation of risks in the accomplishment of organizational objectives.
Organizational Metrics: The measure of the effectiveness of an organization’s standards, policies, and procedures in enhancing security.
Configuration Management: The practice of controlling logical or structural arrangement within an organization to enhance productivity.
Maturity Model: A technique to measure the ability of an organization to implement continuous improvement processes.
Change Management: The application of a well-defined approach to transition an organization from a current state to a future state so that expected benefits can be accomplished.
Operational Metrics: The measure of the effectiveness of the implementation of an organization’s standards, policies, and procedures.
Preventive Controls: Controls put in place to lessen the probability that errors or irregularities will occur.