IT Change Management Flashcards
IT Change Management Policy
Accurate Documentation;
Continuous Oversight;
Formal, Defined approval process;
Scope
Key Goals of IT Change Mgt
-Establish clearly defined best practice processes to ensure compliance with the SOX
requirements as measured using standard COBIT measurement elements
-Improve efficiency through the use of automated tools and a centralized data depository
-Improve communication through automated escalations and notifications
-Ensure proper level of approvals
-Reduce risk associated with completing changes
-Reduce the impact of changes on the IT and business organizations
IT Change Management Process
Formally Request a Change; Categorize and Prioritize the Change; Analyse and Justify the Change; Approve and Schedule the Change; Plan and Complete the Implementation of the Change; Post-Implementation Review
In Scope of Change Management Process
SDLC - changes through software development life cycle
Hardware – Installation, modification, removal or relocation of computing equipment.
Software – Installation, patching, upgrade or removal of software products
Database – Changes to databases or files
Application – Application changes being promoted to production
Moves, Adds, Changes and Deletes – Changes to system configuration.
Schedule Changes - Requests for creation, deletion, or revision to job schedules
Telephony – Installation, modification, de-installation, or relocation of PBX equipment/services
Desktop – modification or relocation of desktop
Generic and Miscellaneous Changes
Out of Scope
Some IT tasks performed do not fall under the policies and procedures of Change Management:
• Contingency/Disaster Recovery
• Changes to non-production elements or resources
• Changes made within the daily administrative process. Examples of daily administrative tasks
are:
– Password resets
– User adds/deletes
– User modifications
– Adding, deleting or revising security groups
– Rebooting machines when there is no change to the configuration of the system
– File permission changes
The Change Advisory Board (CAB) may modify the scope periodically
Creating a Request for Change (RFC)
Created by the Change Coordinator
Change Coordinators work with the Change
Initiators to identify:
• The Change Initiator’s name and contact information
• The Change Coordinator’s name and contact information
• An accurate description of the change required including the specific request, reason the change
is required and the required timeframe
• The priority and category of the change based on the information available
• Incident tracking number of any issue that relates to the change
• Description and clarification of any items to be changed, including identification of the
Configuration Item if known
• A cost-benefit analysis of the change and budgetary approval, if required
• Business impact and resource assessment
• Location of the release and a suggested implementation plan with timescale
• Impact on business continuity and contingency plans
• Risk involved in making the change
Assigning the Change Priority
Change Coordinator has authority to adjust the priority level: Emergency – A change to be implemented immediately, or leave organization open to significant risk (e.g.security patching). • High – A change important and implemented soon to prevent a significant negative impact to business processes • Routine – A change implemented to gain benefit from the changed service. • Low – A non urgent change, but would be advantageous.
Development Phase
Completing a risk and impact analysis
Developing specific change requirements
Identifying a back-out plan and receiving peer approval
Developing the Business Case Justification
Change Coordinator must develop a Business Case Justification:
- The requirements and detailed description of the change;
- Describe the impact the change will make on the business unit’s operation;
- Describe the effect the change may have upon the end user, business operation, and infrastructure
- Describe the impact on other services that run on the same infrastructure;
- Describe the effect of not implementing the Change;
- Estimate the IT, business and other resources required to implement the Change (costs, number and availability of people required);
- Estimate any additional ongoing resources if Change implemented
Technical Impact Analysis
Resource assigned based on type of change and complexity. Criteria a technical reviewer must consider:
- Evaluate the change plans to gauge the impact and effect of the change;
- Review the technical completeness of the change plan (anticipated assets changed, impact on start-up/shut down of systems, impact on disaster recovery plans);
- Evaluate the technical feasibility of the change (Performance, Capacity, Security, Operability);
- Validate technical aspects, feasibility, and plan
- Reviewer assigns technical impact level
Technical Impact - Low Level
- For routine categories
- IT resources one workgroup within same IT division
- Low complexity: no technical coordination required
- Low risk to system availability (system/service outage affecting clients during Non-Prime Time)
- Easy implementation and back-out
- No impacts to service level agreements
Technical Impact - Medium Level
- IT resources from more than one workgroup within same IT division
- Significant complexity: technical coordination one or more functional groups
- Moderate risk to system availability (outage exposure during Prime/Peak Times, outage primarily expected during Non-Prime Time)
- Some complexity to implementation and back-out plans - not expected to extend window timeframe
- Affects application, data or server security
- Impacts service level agreements and internal support required
Technical Impact - High Level
-IT resources from more than two workgroups, crosses IT divisions
-High complexity: complex technical coordination required with one or more functional groups
-High risk to system availability (outages expected during Prime/Peak Times)
-Complex implementation and back-out plans, back-out likely to extend the window
timeframe
-Affects security of data on infrastructure
-Impacts service level agreements (e.g. Business Prime/Peak Time)
-Outside vendor support is typically required
Business Risk and Impact Assessment
- Evaluate business risk/impact of both doing and not doing the change
- Analyse timing of the change to resolve any conflicts and minimize impact
- Ensure all affected parties are aware of the change and understand its impact
- Determine if the implementation of the change conflicts with the business cycle
- Ensure current business requirements and objectives are met.
Assigning a Risk Level for Change
Customer and/or Client Impact (H, M, L, No Risk) IT Resource Impact Implementation Complexity Duration of Change Security Service Level Agreement Impact
Approvals Required for Change
Change Category: Production Migration, Hardware, Software, Scheduling, etc.
Priority: Emergency, Urgent, Routine, Low
Lead Times: number of days an action (Initiation or Approval) must be completed prior to requested implementation date.
Change Implementations
- Developing an implementation project plan
- Verify testing successful
- Applying the change to production
- Validating the change
- Resolving problems
- Summary of the results
- Updating the Change Management application with results
Change Management Reports
- Reasons for Change
- Number of successful changes
- Number of failed changes
- Number of changes backed-out, the reasons
- Number of Incidents traced to the change
- Number of RFCs (and any trends in origination)
- Number of implemented changes reviewed,
- Data from previous periods for comparison
- Number of RFCs rejected
- Number of changes per category
Roles and Responsibilities
- Change Manager
- Change Initiator
- Change Coordinator
- Change Task Assignee or Change Implementer
- Change Management System Administrator
Change Manager
Receiving RFCs;
Selecting CAB members and facilitating CAB meetings;
Assigning teams to conduct RFC impact/risk analyses;
Analysing and prioritizing RFCs;
Categorising, assigning Change Coordinators, and scheduling RFCs;
Approving requests for minor changes;
Providing change notification to the Change Initiator;
Monitoring the successful completion of all RFCs;
Reviewing and evaluating the change process
Change Administrator
Supports the change manager;
Admin functions associated with the Change Management program;
CAB meeting schedule; Agenda prep;
Updating the policies and procedures;
Publishing change management reports for CAB
Change Initiator
Within the IT Business Unit;
Originates changes through RFC to the Help Desk or the Change Coordinator;
Providing sufficient information on the change for Change Coordinator;
Kept up-to-date on the status of the RFC;
Assists Change Manager and CAB to determine RFC priority;
In post-implementation review
Change Coordinator
Assigned by Change Manager (with CAB’s approval);
Planning and coordinating all phases of the change;
Document all relevant information;
Project status feedback to Change Manager;
Formal updates and proposals to the CAB;
Works with Change Initiator to ensure change meets Initiator’s requirements;
Evaluates the change process with Change Manager;
Coordinates and presents the post-implementation review analysis to the CAB.
Change Task Assignee or Change Implementer
Change Coordinator assigns Change Task Assignee when developing planning and implementation tasks;
Executes individual tasks within a change and ensuring they are completed according to the implementation plan
