Enforcing IT Change Management Policy

WHITEpaper
Enforcing IT Change Management Policy
"Everything flows, nothing stands still." -Heraclitus
page 2 Introduction
page 2 How High-performing Organizations Manage Change
page 3 Maturing IT?Processes
page 5 Enforcing Change Policy
page 6 Tripwire Facilitates Change Management
page 8 Why Change Control is Worth It
©2007 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. All other product and company names are property of their respective owners. All rights reserved.WHITE?PAPEREnforcing IT Change Management Policy
The Greeks knew long ago that it is impossible to step into the same river twice. Fast-forward from ancient Greece to our technology-driven century, and change occurs so rapidly it is difficult to manage. Managing change is one of the most difficult challenges that IT organizations face, and to effectively support and facilitate enterprise business goals, IT must also continually change. Sometimes these changes are significant, as in upgrading a network. Some changes are almost imperceptible, occurring without fanfare as services evolve and underlying IT infrastructure is maintained.
Infrastructure Complexity Magnifies the Impact of ChangeWhile planned, authorized changes have obvious benefits to systems or users, unknown and even imperceptible changes can result in serious negative impact to IT systems and processes. IT organizations are responsible for a complex structure of "systems of systems," all of which must work together to deliver quality information and communication services. Each "service" requires a specific, integrated "stack" of systems-such as applications, databases, middleware, directory services, operating systems, and networks-in order to successfully deliver a set of functions or processes. The unique behavior and state of each system in a stack is determined by a multitude of elements, such as file systems and their attributes, configuration settings, users, and permissions.
This complexity means that changes in the IT infrastructure can potentially affect every part of a business operation, posing various degrees of risk to the enterprise. For example, an unauthorized change to firewall settings can result in serious vulnerabilities that not only threaten data and disrupts revenue-generating services, but that can also imperil compliance with regulatory requirements.
Instilling Change ControlsChange must be controlled to mitigate the inherent risk to IT's compliance, service quality, and security posture. Indeed, national and local laws, as well as private contractual arrangements, demand that organizations deploy effective controls on their IT infrastructures. One form of control is developing change management processes. These processes are often based on best practices, such as the IT Infrastructure Library (ITIL), and supported by an array of system management techniques, tools, procedures, and policies that together help define the organization's change management process.
Having processes in place is not enough, however. Change management policies and controls must be systematically evaluated and enforced. If they are not, companies experience:. Control deficiencies that can result in poor audit findings, potential fines, and other disciplinary measures. Difficulty and higher costs to prepare for audits. Service outages, unplanned work, and delayed delivery of strategic projects resulting from unauthorized and undocumented changes. Increased risk and security vulnerabilities. A lack of assurance about system security and data integrity
How High-performing Organizations Manage ChangeCompanies that successfully embrace change management gain at least three significant benefits:. They spend less than 5 percent of IT time on unplanned work (also known as firefighting). They experience a low number of "emergency" changes. They successfully implement desired changes more than 99 percent of the time, and experience no outages or episodes of unplanned work following a newly implemented change.
How do organizations become high performers? According to the Institute of Internal Auditors' Global Technology Audit Guide, Change and Patch Management Controls, these organizations have fostered a culture of change management that prevents and deters unauthorized change.
Page 2WHITE?PAPEREnforcing IT Cha... [download for more]