Change Management Policy:
The Greeks knew long ago that it is impossible to step into the same river twice. Fast-forward from ancient Greece to our technology-driven century, and change occurs so rapidly it is difficult to manage. Managing change is one of the most difficult challenges that IT organizations face, and to effectively support and facilitate enterprise business goals, IT must also continually change. Sometimes these changes are significant, as in upgrading a network. Some changes are almost imperceptible, occurring without fanfare as services evolve and underlying IT infrastructure is maintained.
Infrastructure Complexity Magnifies the Impact of an IT Change Management Policy
IT organizations are responsible for a complex structure of "systems of systems," all of which must work together to deliver quality information and communication services. Each "service" requires a specific, integrated "stack" of systems such as applications, databases, middleware, directory services, operating systems, and networks' in order to successfully deliver a set of functions or processes. The unique behavior and state of each system in a stack is determined by a multitude of elements, such as file systems and their attributes, configuration settings, users, and permissions and leading to a change management policy.
This complexity means that changes in the IT infrastructure can potentially affect every part of a business operation, posing various degrees of risk to the enterprise. For example, an unauthorized change to firewall settings can result in serious vulnerabilities that not only threaten data and disrupts revenue-generating services, but that can also imperil compliance with regulatory requirements.
Instilling a Change Management Policy
A change management policy must be controlled to mitigate the inherent risk to IT's compliance, service quality, and security posture. Indeed, national and local laws, as well as private contractual arrangements, demand that organizations deploy effective controls on their IT infrastructures. One form of control is developing change management policies and processes. These processes are often based on best practices, such as the IT Infrastructure Library (ITIL), and supported by an array of system management techniques, tools, procedures, and policies that together help define the organization's change management process.
Having processes in place is not enough, however. Change management policies and controls must be systematically evaluated and enforced. If they are not, companies experience:
- Control deficiencies that can result in poor audit findings, potential fines, and other disciplinary measures - Difficulty and higher costs to prepare for audits - Service outages, unplanned work, and delayed delivery of strategic projects resulting from unauthorized and undocumented changes - Increased risk and security vulnerabilities - A lack of assurance about system security and data integrity
How High-performing Organizations Manage an IT Change Management
Companies that successfully embrace change management policies gain at least three significant benefits:
- They spend less than 5 percent of IT time on unplanned work (also known as firefighting)
- They experience a low number of "emergency" changes
- They successfully implement desired changes more than 99 percent of the time, and experience no outages or episodes of unplanned work following a newly implemented change.
How do organizations become high performers? According to the Institute of Internal Auditors' Global Technology Audit Guide, Change and Patch Management Controls, these organizations have fostered a culture of change management that prevents and deters unauthorized change.
Enforcing IT Change Management Policy
In a change management culture, IT staff adhere to change policies and processes because managing change has become a strategic value, or part of the "DNA" of that IT organization. This culture starts at the top, with executives who understand that unauthorized change constitutes uncontrolled business risk. They not only expect policies to be followed they inspect processes to ensure that they are followed. "Trust but verify" is the mantra of top performers.
Top management must provide clear, consistent communication that sets expectations that change management policy must be followed. And they support that posture by ensuring that change policies are in place and enforced.
IT Change Management Policy Solutions:
Control over IT is achieved by instituting effective change management policies, then implementing robust controls to ensure that all changes are auditable and authorized, and that all unauthorized changes are investigated. Organizations with weak IT controls invariably spend a higher percentage of their resources on unplanned work, while producing sub-standard operational results and delivering inferior service to their customers.
