s2-m4 Flashcards
Steps in the Change Management Process
- Indentify and define the need for system changes
- Design a high level plan including goals to be achieved because of the system change
- Obtain approval from management
- Develop an appropriate budget and timeline
- Assign personnel responsible for managing the system
- Identify and address potential risks that could occur during the change or post implementation
- Provide an implementation road map
- Procure necessary resources and train the appropriate perssonel
- Test the system change
- Execute the implementation plan
- Review and monitor change implementation and test as needed
What is change managment?
The term used to describe the policies , procedures, and resources employed to govern change in an organization
Development Environment
software programmers write code to create application prototyped. Typically a source code editing tool which is used to create and modify code syntax
Testing Environment
developers test and debug code to identify errors that need to be corrected. May be same has dev environment but some orgs keep separate to focus on debugging
Staging Environment
Orgs can test programs that are in their final phases of development
Disaster Recovery Environment
Orgs set up a disaster recovery environment to ensure that applications can be restored quickly, save critical data and systems, notify management, and recover in the event of an outage
Lack of Expertise
Selection and Acquistion Risks
Risk that the purchasing agent does not have expertise or organizational perspective to purchase software that meets the needs of the org
Lack of a formal Selection and Acquisition Process
Selection and Acquistion Risks
risk that org does not have or does not follow formal selection and acquisition processes it pertains to software. can result in overspending or software does not align with IT gov strat
Software/Hardware Vulnerability and Incompatibility
Selection and Acquistion Risks
risk that proper safeguards and security features that are need to adequately protect organization from unauthorized use do not exist
Service Organizations Perspective
SOC 2 Guidance
perform annual risk assessments to determine whether identified risks and controls linked to those risks are adequate
Service Auditors Perspective
SOC 2 Guidance
Obtain and inspect the annual risk assessment performed by the service organization to determine that new controls were implemented to address risks not sufficiently addressed by existing controls
User Resistance
Integration Risks
resistance to adopt change by employees results in ignoring training and ultimately do not follow through with change
Lack of Management Support
Integration Risks
if management does not provide both resources and adequate support this could magnify existing employee resistance
Lack of Stakeholder Support
Integration Risks
stakeholders involved in change may range from employees to suppliers to customers any of which may have adverse reaction or disposition toward change
Rsource Concerns
Integration Risks
change can be resource intensive. Appropriate resources may not be made available for chang
Business Disruption
Integration Risks
changes to IT infrastructure, there is the potential for brief or prolonged information system failures
Lack of System Integration
Integration Risks
organizations may operate many different systems, some of which may be legacy systems that do not effectively adapt or integrate with more modern systems
Lack of Org Knowledge
Outsourcing Risk
must rely on third party to fully comprehend the organizationsbusiness model and needs so the third party can integrate taht change into the organizaton without causing dirsruption
Uncertainty of the Third Partys Knowledge and Managment
Outsourcing Risk
a risk taht the external party has ineffective or weak managment, inexperienced or underqualifed staff, and a lack of technology expertise
Lack of Security
Outsourcing Risk
can lead to transmission of sensitive and confidential data. There is a risk that an external orgainzation does not have sufficient or effective safeguardst to make sure that clinet, customer, emnployee info is kept secure
Policies and Procedures
Change Mangment Control
Clear change management guidelines are needed to outline how the change management process should be executed
Emergency Change Policies
Change Mangment Control
Separate contingency policies and procedures provide direction for emergency change situations that allow for an expedited process that still l maintain an audit trail and appropriate controls
Standardized Change Requests
Change Mangment Control
Standardized Change Requests by using consistent forms and request protocols helps complete all required changes in a timely fashion
Impact Assessment
Change Mangment Control
analysis documenting the effect change will have on the organizations business activities as well as any potential disruptions will help prepare an organization for successful implementation
Authorization
Change Mangment Control
requiring designated levels of authorization for changes, including material modifications to the initial change plan, is necessary to protect against unauthorized modification to a projects scope
Segregation of Duties
Change Mangment Control
segregating job roles will help protect assets or information from being utilized improperly
Conversion Controls
Change Mangment Control
when migrating form an existing system or process to the new ones, conversion controls help minimize data conversion errors related to the impacted IT assets
Reversion Access
Change Mangment Control
Some changes may cause unexpected complications; therefore it is important to have the ability to revert to the prior system
Pre-Implementation Testing
Change Mangment Control
before moving the change into production, testing will help determine if the change is functioning properly and there are no irregularities
Post-Implementation testing
Change Mangment Control
after the change is made into production, reconciling transactions processed in the new environment against the same transactions that were processed in the previous environment
Ongoing Monitoring
Change Mangment Control
Continuous periodic reviews after implementation will promote long term success
What are the annual risk assessment process that should be evaluated?
Trust service criteria for SOC 2
- the economic, regulatory, and physical environment in which the company operates
- business environment, industry, competition, and consumer dynamics
- the effect of how new lines of business, modified lines, expanding through acquisition, or downsizing through divesting can affect internal control
- managements attitude toward internal controls
- changes in tech environment
- partnerships with vendors
Baseline Configuration
The start of documenting changes to a system. Establishing a starting point for reconfigurations so that changes are deployed in a consistent and secure environment
System Component Inventory
a list of items that comprise a system including hardware, software, peripherals, and other IT assets
Acceptance Criteria
Help enhance the likelihood that changes to systems or processes are clear and concise, properly tested prior to implementation, documented, approved, evaluated, and reviewed. Measurable and specific so that change can be objectively evaluated
Performance
Acceptance Criteria
Quantitatively, this may be measured using metrics such as newly configured systems uptime, downtime, or speed in terms of seconds or minutes. If assessed qualitatively, this could simply be a rating by a testing panel of perceived performance
Functionality
Acceptance Criteria
qualitative and assess whether an application or infrastructure component performs a target function and how efficient or practical it is to use the system in its intended environment.
Scalability
Acceptance Criteria
The ease of the systems ability to scale up or down would be quantitatively measured by using such metrics as the max numbered of transactions that can be processed
Compliance
Acceptance Criteria
May be measured by an objective qualitative assessment that renders a yes or no verdict of compliance
Logging
The process of recording events into logs or databases so that organization can track activities that occur on a system
The Waterfall Model
Characterized by different teams of employees performing separate tasks in sequence, with each team beginning work from the pre written authoritative agreement of the preceding team and then ending work when the business requirements for the team have been met
Waterfall Challenges
- a lot of time to complete
- benefits are not realized until completion
- no customer input and change can be difficult to manage
- employees may be idle before beginning or after completing
The Agile method
Characterized by cross functional teams, each dedicated to particular functions or improvements of a system drawn from a prioritized list of customers remaining needs for the system
The Agile Principles
- Satisfy the customer with early and continuous delivery of highest priority features
- Welcome change
- Deliver working software frequently
- complete only the work requested
- Conduct short, frequent, and regular meetings to maintain focus
Patch Managment
systematic process of identifying specific vulnerabilities or software bugs in operating systems or applications and addressing them with patches or fizes between release
An effective patch management includes
- Evaluating new patch releases
- using a vulnerability tool
- testing patches in a test environment
- approving and deploying patches
- verifying patches deployed
Direct
System Conversion Method
Involves ceasing the use of the old system and starting the new one immediately
Parallel
System Conversion Method
The new system is implemented while the old system is still in use for an extended period of time with this conversion method
Pilot
System Conversion Method
organization performs conversion on a small scale within a test environment wile continuing to use the older system
Phased
System Conversion Method
this transition plan gradually adds volume to the new system while operating the old system
Hybrid
System Conversion Method
Custom combinations of the other approaches tailored to the needs
A Change Advisory Board
recommended to be in place so that organizations can adequality plan for change and respond to unwanted change outcomes
Rollback
Require a complete inventory of system configurations for application and operating systems so that systems can be restored to a state that existed prior to change
Unit Testing
The process of examining the smallest increment, or unit, of an application. Unit testing can be broken down by function so that developers evaluate units of code that perform specific tasks as the application is being developed
Integration testing
thread testing or string testing, performed after unit testing to enhance the likelihood that different components or modules within an application will work cohesively once all units are integrated
System testing
verifies that all combined modules of a completed application work as designed in totality. Focuses on overall functionality
Acceptance Testing
developers asses an application to determine whether it meets end user requirements. may involve beta testing
