Introduction to Change Introduction to Change Management - - PowerPoint PPT Presentation

San Francisco Chapter San Francisco Chapter

Introduction to Change Introduction to Change Management Management

Tuesday, September 23, 2008 Mark Lundin Steve Owyoung Partner Manager KPMG LLP, IT Advisory KPMG LLP, IT Advisory

San Francisco Chapter San Francisco Chapter 2

 Why change management and its significance  Types of changes in production environment  Change management controls  Impact of weak change management control  Integrity management  Change management leading practices  Software Development Life Cycle (SDLC)

Discussion Discussion topics topics

San Francisco Chapter San Francisco Chapter 3

Why change management Why change management


and its significance? and its significance?

Why change management and its significance? Change management controls Impact of weak change control Integrity management Change management leading practices Types of changes in production environment

2 3 4 5 6 1 Organization 7

Software Development Life Cycle

San Francisco Chapter San Francisco Chapter 4

 The total fraud losses in the United States

to be $660 billion a year

 Off all the computer crimes reported

Women 32% Minorities 43% Ages 21-35 67%

Source: Association of Certified Fraud Examiners and National Center For Computer Crime

Why change management Why change management


and its significance? and its significance?

Managers 11% 14% 18% 12% 31%

Others

Application Programmers Clerical Users Students

Computer fraud Occupation

75% - 90%

computer crime committed by former or current employees (knowledgeable insiders) Why change management and its significance? Change management controls Impact of weak change control Integrity management Change management leading practices Types of changes in production environment

2 3 4 5 6 1 7

Software Development Life Cycle

San Francisco Chapter San Francisco Chapter 5

Why Change Management Why Change Management
 and its significance? and its significance?

 Change management – it is

significant because it helps an

• rganization to be efficient

Adapting to change Controlling change Effecting change

Why change management and its significance? Change management controls Impact of weak change control Integrity management Change management leading practices Types of changes in production environment

2 3 4 5 6 1 7

Software Development Life Cycle

San Francisco Chapter San Francisco Chapter 6

Types of changes Types of changes


Changes in production environment Changes in production environment

Types of changes in production environment Change management controls Impact of weak change control Integrity management Change management leading practices Why change management and its significance?

2 3 4 5 6 1

Network Equipment

Internet

Physical Control

7

Software Development Life Cycle

San Francisco Chapter San Francisco Chapter 7

 Applying OS patches

Applying OS patches

• OS vendor recommendation
• Opening/closing OS services

 Re-imaging

Re-imaging

• As a backup plan when an OS update didn’t

go as planned

• As part of major/minor/emergency

application changes

Types of changes Types of changes


OS changes (Host) OS changes (Host)

Types of changes in production environment Change management controls Impact of weak change control Integrity management Change management leading practices Why change management and its significance?

2 3 4 5 6 1 7

Software Development Life Cycle

San Francisco Chapter San Francisco Chapter 8

 Software changes

Software changes

• Deploying OS
• Patching OS

 Configuration Changes

Configuration Changes

• Updating firewall, router, switch

configuration

 Hardware changes

Hardware changes

• Adding/removing of network equipment

Types of changes Types of changes


Network changes Network changes

Types of changes in production environment Change management controls Impact of weak change control Integrity management Change management leading practices Why change management and its significance?

2 3 4 5 6 1 7

Software Development Life Cycle

San Francisco Chapter San Francisco Chapter 9

 Company specific application change

Company specific application change

• Major, minor and emergency changes

 Database changes

Database changes

• Schema changes
• Database upgrades (version upgrade)

Types of changes Types of changes


Application changes Application changes

Types of changes in production environment Change management controls Impact of weak change control Integrity management Change management leading practices Why change management and its significance?

2 3 4 5 6 1 7

Software Development Life Cycle

San Francisco Chapter San Francisco Chapter 10

Types of changes Types of changes


Physical access change Physical access change

 Physical access to datacenter

Physical access to datacenter

• Preventing root level access through a

system console

• Deactivating terminated employee’s physical

access

• Deactivating temporary physical access

Types of changes in production environment Change management controls Impact of weak change control Integrity management Change management leading practices Why change management and its significance?

2 3 4 5 6 1 7

Software Development Life Cycle

San Francisco Chapter San Francisco Chapter 11

Types of changes Types of changes


Logical access change Logical access change

 OS Access Change

OS Access Change

• privileged access to production/mission

critical server

 Application Access Change

Application Access Change

• privileged access to production/mission

critical application

 Network Access Change

Network Access Change

• privileged access to network equipment

Types of changes in production environment Change management controls Impact of weak change control Integrity management Change management leading practices Why change management and its significance?

2 3 4 5 6 1 7

Software Development Life Cycle

San Francisco Chapter San Francisco Chapter 12

Change management controls Change management controls


Planned/routing maintenance changes procedure and controls Planned/routing maintenance changes procedure and controls

Change management controls Types of changes in production environment Impact of weak change control Integrity management Change management leading practices Why change management and its significance?

2 3 4 5 6 1 7

Software Development Life Cycle

San Francisco Chapter San Francisco Chapter 13

Change management controls Change management controls


Emergency/System Recovery change procedure and controls Emergency/System Recovery change procedure and controls

Change management controls Types of changes in production environment Impact of weak change control Integrity management Change management leading practices Why change management and its significance?

2 3 4 5 6 1

San Francisco Chapter San Francisco Chapter 14

Impact of weak change controls Impact of weak change controls

 Potential for system outages

system outages

 Prone to unplanned

unplanned, unauthorized unauthorized and undocumented undocumented changes

• Unauthorized and undocumented changes

 Causes unexplained additional problems or

• utages

 Causes unplanned changes as problems are troublesome to resolve due to the prior undocumented changes

Impact of weak change control Types of changes in production environment Change management controls Integrity management Change management leading practices Why change management and its significance?

2 3 4 5 6 1 7

Software Development Life Cycle

San Francisco Chapter San Francisco Chapter 15

 Prone to system attack

Prone to system attack – example denial of services

 Misuse of resource

Misuse of resource

• Unplanned work
• Creates monetary loss

 Causes legal implication

Causes legal implication

• Due to the exposure of sensitive customer data
• Due to system unavailability to customers

 Losing a customer/ business

Losing a customer/ business

Impact of weak change controls Impact of weak change controls

Impact of weak change control Types of changes in production environment Change management controls Integrity management Change management leading practices Why change management and its significance?

2 3 4 5 6 1 7

Software Development Life Cycle

San Francisco Chapter San Francisco Chapter 16

Integrity management Integrity management – Preventing,

– Preventing, detecting and responding to changes in production systems detecting and responding to changes in production systems

 Prevention

Prevention

• Restrict logical access

 Firewall, IDS, OS and Application

• Unnecessary services

 Disable at the servers  Block by the firewalls

• Restrict physical access

 Restrict physical access that houses critical systems to ONLY authorized employees  Perform periodic physical access reviews

Integrity management Types of changes in production environment Change management controls Impact of weak change control Change management leading practices Why change management and its significance?

2 3 4 5 6 1 7

Software Development Life Cycle

San Francisco Chapter San Francisco Chapter 17

Integrity management Integrity management – Preventing,

– Preventing, detecting and responding to changes in production systems detecting and responding to changes in production systems

 Detection

Detection

• Monitor metadata and look for changes

 Create, store and monitor baseline metadata values  Metadata values: modification time, file size and cryptographic checksum

• Integrity Management Software

 Reads files or directories to monitor

 critical network configuration, data files, customer database files, documents and spreadsheets

 Takes action when a violation (change) occurs

• Intrusion detection (IDS)

Integrity management Types of changes in production environment Change management controls Impact of weak change control Change management leading practices Why change management and its significance?

2 3 4 5 6 1 7

Software Development Life Cycle

San Francisco Chapter San Francisco Chapter 18

Integrity management Integrity management – Preventing,

– Preventing, detecting and responding to changes in production systems detecting and responding to changes in production systems

 Recovery

Recovery

• Maintain a backup copy of the production

data

• Identify changes based on the Integrity

Management Software report

• Determine whether a change is authorized
• r not
• Restore a file if the change is deemed

unauthorized or malicious

Integrity management Types of changes in production environment Change management controls Impact of weak change control Change management leading practices Why change management and its significance?

2 3 4 5 6 1 7

Software Development Life Cycle

San Francisco Chapter San Francisco Chapter 19

Change management leading Change management leading practices practices

 Change management policy,

procedure and standards

 Change result management  Change request management  Deployment management  Approval process  Monitor application and networks

Change management leading practices Types of changes in production environment Change management controls Impact of weak change control Integrity management Why change management and its significance?

2 3 4 5 6 1 7

Software Development Life Cycle

San Francisco Chapter San Francisco Chapter 20

Production Environmen t

Change management leading Change management leading practices practices

Change management leading practices Types of changes in production environment Change management controls Impact of weak change control Integrity management Why change management and its significance?

2 3 4 5 6 1 7

Software Development Life Cycle

San Francisco Chapter San Francisco Chapter 21

Change management leading Change management leading practices practices


Change management policy, procedure and standard Change management policy, procedure and standard

 What is change management policy

/procedure?

• It is the process of planning, organizing,

controlling, executing and monitoring changes that affect the delivery of IT services

• Prioritizes changes based on downtime, lead

time, type of services and severity of the change

• Categorizes change (Low, Medium, High, and

Urgent)

Change management leading practices Types of changes in production environment Change management controls Impact of weak change control Integrity management Why change management and its significance?

2 3 4 5 6 1 7

Software Development Life Cycle

San Francisco Chapter San Francisco Chapter 22

Change management leading Change management leading practices practices


Change management policy, procedure and standard Change management policy, procedure and standard

 Better assess the cost of proposed changes before

they are incurred

 Reduce adverse impact of changes on the quality of

services and on Service Level Agreements (SLA)

 Integrate with and communicate to IT and

management

 Roles and responsibilities

• Define and designate qualified personnel’s roles
• Segregation of duties (SOD)
• Communicate to the organization
• Enforce throughout the change management

process

Change management leading practices Types of changes in production environment Change management controls Impact of weak change control Integrity management Why change management and its significance?

2 3 4 5 6 1 7

Software Development Life Cycle

San Francisco Chapter San Francisco Chapter 23

 Change Request Analysis

Change Request Analysis

• Business Analysis

 The likelihood of success  Significance to business  Resources required and business justification

• Technical Analysis

 System dependencies  Technical requirement  Project estimate

Change management leading Change management leading practices practices


Change Request Management Change Request Management

Change management leading practices Types of changes in production environment Change management controls Impact of weak change control Integrity management Why change management and its significance?

2 3 4 5 6 1 7

Software Development Life Cycle

San Francisco Chapter San Francisco Chapter 24

 Change Request Reporting

Change Request Reporting

• Make the change requests visible to

management

• Retain status of the change request when it

is analyzed, prioritized, tested and deployed

Change management leading Change management leading practices practices


Change Request Management Change Request Management

Change management leading practices Types of changes in production environment Change management controls Impact of weak change control Integrity management Why change management and its significance?

2 3 4 5 6 1

San Francisco Chapter San Francisco Chapter 25

 Appropriate approval should be obtain

between the different phases of change management process

 Management approval should be documented

Change management leading Change management leading practices practices


Approval Process Approval Process

Change management leading practices Types of changes in production environment Change management controls Impact of weak change control Integrity management Why change management and its significance?

2 3 4 5 6 1 7

Software Development Life Cycle

San Francisco Chapter San Francisco Chapter 26

 Logical environment (separate)

–Development, Test/QA and Production

 Deployment process

• High category changes
• Low/Medium category changes
• Emergency changes

 Technology leverage

• To provide auditability and versioning

throughout the deployment process

Change management leading Change management leading practices practices


Deployment Management Deployment Management

Change management leading practices Types of changes in production environment Change management controls Impact of weak change control Integrity management Why change management and its significance?

2 3 4 5 6 1 7

Software Development Life Cycle

San Francisco Chapter San Francisco Chapter 27

 Key Performance Indicators (KPI) about the

entire Change Management Process

• Process bottlenecks, successful techniques, etc.

 Use the KPIs (by management) to make

adjustments to the change management procedure and practices

 Post change implementation monitoring

Change management leading Change management leading practices practices


Result management Result management

Change management leading practices Types of changes in production environment Change management controls Impact of weak change control Integrity management Why change management and its significance?

2 3 4 5 6 1 7

Software Development Life Cycle

San Francisco Chapter San Francisco Chapter 28

 Integrity checks

• using automated monitoring tools
• Incident response

 Escalation process

 Periodic reviews

• User access – OS, apps, network, etc.
• System configuration – servers, network

equipment, etc.

Change management leading Change management leading practices practices


Monitor application and networks Monitor application and networks

Change management leading practices Types of changes in production environment Change management controls Impact of weak change control Integrity management Why change management and its significance?

2 3 4 5 6 1 7

Software Development Life Cycle

San Francisco Chapter San Francisco Chapter 29



Managing change is a critical component of any SDLC model

• Change Management and SDLC are not

mutually exclusive



Change management occurs throughout the development life cycle



Cost of changes is higher once out of development

Software Development Life Cycle Software Development Life Cycle


Relationship between change management and SDLC Relationship between change management and SDLC

Software Development Life Cycle Types of changes in production environment Change management controls Impact of weak change control Integrity management Why change management and its significance?

2 3 4 5 7 1 6

Change management leading practices

San Francisco Chapter San Francisco Chapter 30

 Iterative model

• Agile Methodology
• Rational Unified Process (RUP)
• Rapid Application Development (RAD)
• Joint Application Development (JAD)

Software Development Life Cycle Software Development Life Cycle


Relationship between change management and SDLC Relationship between change management and SDLC

Software Development Life Cycle Types of changes in production environment Change management controls Impact of weak change control Integrity management Why change management and its significance?

2 3 4 5 7 1 6

Change management leading practices

Illustration courtesy of Rational Unified Process

San Francisco Chapter San Francisco Chapter 31

 Iterative model

• Agile Methodology
• Rational Unified Process (RUP)
• Rapid Application Development (RAD)
• Joint Application Development (JAD)

Software Development Life Cycle Software Development Life Cycle


Relationship between change management and SDLC Relationship between change management and SDLC

Software Development Life Cycle Types of changes in production environment Change management controls Impact of weak change control Integrity management Why change management and its significance?

2 3 4 5 7 1 6

Change management leading practices

Illustration courtesy of Rational Unified Process

San Francisco Chapter San Francisco Chapter 32

 Waterfall model

Software Development Life Cycle Software Development Life Cycle


Relationship between change management and SDLC Relationship between change management and SDLC

Software Development Life Cycle Types of changes in production environment Change management controls Impact of weak change control Integrity management Why change management and its significance?

2 3 4 5 7 1 6

Change management leading practices

San Francisco Chapter San Francisco Chapter 33

 Prototyping

Software Development Life Cycle Software Development Life Cycle


Relationship between change management and SDLC Relationship between change management and SDLC

Software Development Life Cycle Types of changes in production environment Change management controls Impact of weak change control Integrity management Why change management and its significance?

2 3 4 5 7 1 6

Change management leading practices Mange Change

San Francisco Chapter San Francisco Chapter 34

 V Model

Software Development Life Cycle Software Development Life Cycle


Relationship between change management and SDLC Relationship between change management and SDLC

Software Development Life Cycle Types of changes in production environment Change management controls Impact of weak change control Integrity management Why change management and its significance?

2 3 4 5 7 1 6

Change management leading practices

San Francisco Chapter San Francisco Chapter 35

 Audit areas:

Program Change and Program Development

• Define in-scope

systems relevant to each area

• Test controls

based on definition V Model

Software Development Life Cycle Software Development Life Cycle


Relationship between change management and SDLC Relationship between change management and SDLC

Software Development Life Cycle Types of changes in production environment Change management controls Impact of weak change control Integrity management Why change management and its significance?

2 3 4 5 7 1 6

Change management leading practices

San Francisco Chapter San Francisco Chapter 36

Software Development Life Cycle Software Development Life Cycle


Tools to manage changes better Tools to manage changes better

Software Development Life Cycle Types of changes in production environment Change management controls Impact of weak change control Integrity management Why change management and its significance?

2 3 4 5 7 1 6

Change management leading practices

Illustration courtesy of Rational Unified Process

San Francisco Chapter San Francisco Chapter

Questions