How do I manage changes to information technology?
- just let change happen and keep backups in case you have to revert to them,
- create a system to identify and track changes larger than a particular management-defined consequence level
- apply sound change controls.
For most small businesses, option 1 is used, and this is reasonable except for particularly high tech or software industry small businesses. Option 2 is a good solution for medium sized businesses but without some systematic approaches to understanding consequences it will be problematic. Option 3 should be used for all medium and high consequence systems in all medium or large enterprises.
Small businesses have little choice but to let change happen and use backups to revert and reentry for things not covered by backups. The cost of change control is too high for most small businesses to afford and the systematic approach required is only justified in small business with high tech focus or small businesses in the software writing arena.
Some change management system will be required in order to track changes in any substantial enterprise because there are so many of them and their impacts can be so widespread. For example, any change to a system potentially alters its properties with respect to risk aggregation, so all of the elements of risk aggregation analysis should be performed for any change that has the potential for impacting other systems. Without a systematic approach, a separate analysis will have to be performed for every change, mostly rehashing the previous analysis performed on all of those systems that interact with the changed system. The enterprise should therefore track all of the inter-dependencies associated with each system so that changes can produce incremental changes to only the systems impacted by the change.
A second major problem is identifying which changes meet risk management concerns. Because incremental small changes can produce rather large overall changes and because of the amplifying effects of interdependencies and risk aggregation, the consequences of change are not always obvious.
The third option is most desirable but it also takes some time to achieve, so most enterprises use a mix of options 2 and 3. The cost of change management can also be substantial so it is typically only used in medium and high consequence systems where the consequences of failure to track changes are far higher than the cost of doing so.
Sound change control implies:
- a system for requesting, specifying, implementing, testing, and implementing changes,
- a method for tracking and backing out changes,
- separation of duties between research and development, testing,
- change control, and operations,
- databases that track these different elements of the process,
- approval processes and work flows to assure operational execution,
- integration of changes into the detection and response process to prevent false positives and potentially harmful responses,
- notification of audit so they can adapt their auditing to meet the new requirements,
- updated documentation to reflect operational changes and
- user changes,
- training to adapt the people to the changes,
- HR and legal approval of changes impacting those areas, and
- policies, standards, and procedures must be followed along the way.
The extent to which enterprises go down this path depends on their level of maturity in information technology, the protection program in place, and executive management understanding of the criticality of change management to enterprise operational continuity.
Change management goes to the heart of large scale information technology deployments and a systematic approach is necessary as enterprises grow.