This whitepaper will review all aspects of change management and present concrete steps you can use to take control of change in your environment.
The Implications of Change
All IT systems are in a constant state of flux, with changes taking place minute by minute. Right now, for example, it is likely that, on your own IT system, someone is installing an application or patch, changing a configuration setting, adding a new user, rolling out a new desktop, or making some other type of change. And even a simple change can greatly impact systems, servers, and applications. When any change occurs, the infrastructure moves from a “known” state—where systems are secure and operating effectively—to an “unknown” state where it is impossible to be confident that everything is as intended. In fact, any change can have a number of implications, which can impact on everything from operational efficiency, risk management, and business continuity to security, systems integrity, and regulatory compliance.
This occurs because each component and setting in the IT environment is dependent on other components or settings, and every new device or application adds additional settings and new dependencies. This level of complexity makes controlling change more and more challenging.
Let me give you a simple example. An Ecora Software customer had a problem with their Exchange server, so their email wasn’t operating. They tried one thing after another to get the server up and running without any success. In the end, the administrator re-installed everything so that the Exchange server—and email—was working again. Everybody was happy, until a security breach was identified several weeks later. You see, when the administrator did the install, he forgot about re-installing the service packs, which had patched some major security problems.
According to Gartner, eight of every ten incidents of unscheduled downtime can be traced to change, and in this case, as in so many others, the problem can be traced to a change.
The Evolution of IT Compliance and Best Practices
Almost every organization deals with regulatory compliance requirements on some level, and it is no longer acceptable to be compliant just for an audit alone.
With requirements increasing, expectations for continuous compliance are growing. Financial institutions, for example, may be audited several times each quarter by different regulatory agencies, which necessitates a state of constant readiness—and makes it essential that IT staff members are not tied up in “fire drill mode.” These organizations have made compliance a standard procedure so there is no need to “get ready” for an audit. Best business practices are being integrated into daily IT service delivery, controls are in place, and solid reports are available so that these organizations are always ready for an audit.
Change management is at the heart of every regulatory standard. If an organization is not controlling what’s changing in the IT infrastructure, the risk of security exposure is great. Unfortunately, many organizations don’t consider the relationship between change management and security, and, particularly, the threat that can come from uncontrolled changes made by employees within the organization itself.
How can this type of security issue be discovered and controlled? There are literally thousands of configuration settings—including access control lists, credentials, permissions, password aging, patches, etc.—that control security. All applications have access controls, for example, and if an organization is not monitoring changes to access controls, it can’t be completely secure. Similarly, if an organization doesn’t control credentials, there is no way to know which unauthorized personnel (or former personnel) may still have access to critical systems. Best practices in configuration and change management lead to a more secure enterprise computing environment.
Regardless of how change management processes are created or which tools are deployed for change management, an organization must control the “what” or “what’s changing,” the “how” or “how will it be done,” the “who” or “who is making the change” for any changes to content, settings, and applications. This is particularly true for those organizations where compliance is a concern.
