6: Auditing Network change Mnagement Flashcards
• Change control policy
The IS auditor should examine the organization’s change control policy to understand how change is supposed to be controlled and managed.
• Change logs
The IS auditor should determine if information systems contain automatic logs that contain all changes to systems and, if so, if these logs are reviewed by IT staff to ensure that only approved changes are being made to systems. The auditor should examine procedures and records to determine what actions are taken when unapproved changes are discovered
. • Change control procedures
The IS auditor needs to examine change control procedures and examine records to determine if procedures are effective and are being followed.
• Emergency changes
The IS auditor should examine change control policy, procedures, and records to see how emergency changes are handled and how they are approved.
• Rolled-back changes
The IS auditor should examine change control records to see what changes needed to be rolled back because of problems. The auditor should determine how these situations were handled
• Documentation
The IS auditor should determine whether change control procedures and records include updates to documentation, including network operations procedures, architecture diagrams, and disaster recovery plans.
. • Linkage to system development life cycle (SDLC)
The IS auditor should understand how the organization’s system development life cycle is integrated with its change management processes to ensure that only completed and properly approved software changes are proposed for promotion into production.
