s2-m4 Flashcards
Steps in the Change Management Process
- Indentify and define the need for system changes
- Design a high level plan including goals to be achieved because of the system change
- Obtain approval from management
- Develop an appropriate budget and timeline
- Assign personnel responsible for managing the system
- Identify and address potential risks that could occur during the change or post implementation
- Provide an implementation road map
- Procure necessary resources and train the appropriate perssonel
- Test the system change
- Execute the implementation plan
- Review and monitor change implementation and test as needed
What is change managment?
The term used to describe the policies , procedures, and resources employed to govern change in an organization
Development Environment
software programmers write code to create application prototyped. Typically a source code editing tool which is used to create and modify code syntax
Testing Environment
developers test and debug code to identify errors that need to be corrected. May be same has dev environment but some orgs keep separate to focus on debugging
Staging Environment
Orgs can test programs that are in their final phases of development
Disaster Recovery Environment
Orgs set up a disaster recovery environment to ensure that applications can be restored quickly, save critical data and systems, notify management, and recover in the event of an outage
Lack of Expertise
Selection and Acquistion Risks
Risk that the purchasing agent does not have expertise or organizational perspective to purchase software that meets the needs of the org
Lack of a formal Selection and Acquisition Process
Selection and Acquistion Risks
risk that org does not have or does not follow formal selection and acquisition processes it pertains to software. can result in overspending or software does not align with IT gov strat
Software/Hardware Vulnerability and Incompatibility
Selection and Acquistion Risks
risk that proper safeguards and security features that are need to adequately protect organization from unauthorized use do not exist
Service Organizations Perspective
SOC 2 Guidance
perform annual risk assessments to determine whether identified risks and controls linked to those risks are adequate
Service Auditors Perspective
SOC 2 Guidance
Obtain and inspect the annual risk assessment performed by the service organization to determine that new controls were implemented to address risks not sufficiently addressed by existing controls
User Resistance
Integration Risks
resistance to adopt change by employees results in ignoring training and ultimately do not follow through with change
Lack of Management Support
Integration Risks
if management does not provide both resources and adequate support this could magnify existing employee resistance
Lack of Stakeholder Support
Integration Risks
stakeholders involved in change may range from employees to suppliers to customers any of which may have adverse reaction or disposition toward change
Rsource Concerns
Integration Risks
change can be resource intensive. Appropriate resources may not be made available for chang
Business Disruption
Integration Risks
changes to IT infrastructure, there is the potential for brief or prolonged information system failures
Lack of System Integration
Integration Risks
organizations may operate many different systems, some of which may be legacy systems that do not effectively adapt or integrate with more modern systems
Lack of Org Knowledge
Outsourcing Risk
must rely on third party to fully comprehend the organizationsbusiness model and needs so the third party can integrate taht change into the organizaton without causing dirsruption
Uncertainty of the Third Partys Knowledge and Managment
Outsourcing Risk
a risk taht the external party has ineffective or weak managment, inexperienced or underqualifed staff, and a lack of technology expertise
Lack of Security
Outsourcing Risk
can lead to transmission of sensitive and confidential data. There is a risk that an external orgainzation does not have sufficient or effective safeguardst to make sure that clinet, customer, emnployee info is kept secure
Policies and Procedures
Change Mangment Control
Clear change management guidelines are needed to outline how the change management process should be executed
Emergency Change Policies
Change Mangment Control
Separate contingency policies and procedures provide direction for emergency change situations that allow for an expedited process that still l maintain an audit trail and appropriate controls