Presentation is loading. Please wait.

Presentation is loading. Please wait.

Www.theiia.org Change and Patch Management Controls Critical for Organizational Success Global Technology Auditing Guide 2.

Published byNoreen Patrick Modified over 9 years ago

Similar presentations

Presentation on theme: "Www.theiia.org Change and Patch Management Controls Critical for Organizational Success Global Technology Auditing Guide 2."— Presentation transcript:

1 www.theiia.org Change and Patch Management Controls Critical for Organizational Success Global Technology Auditing Guide 2

2 www.theiia.org What This Guide Covers Why IT change and patch management controls are foundational to a healthy IT environment How IT change and patch management controls help manage IT risks and costs What works and doesn’t work in practice Describes sources of change and the likely impact on business objectives

3 www.theiia.org What This Guide Covers Compares effective change management (best practices) and ineffective change management (red flag indicators) Discusses the Top Five Steps to reduce IT change related risks Provides assessment tool and describes what internal auditors should do In Summary: This GTAG provides a working knowledge of IT change management processes and risks

4 www.theiia.org Understanding IT Change Management Business requirements drive the need for a high degree of IT uptime (availability) while regulatory requirements such as Sarbanes-Oxley drive the need for controls to ensure the confidentiality and integrity of information Stable and managed IT production environments require that changes be implemented in a predictable and repeatable manner IT personnel implementing changes must follow a controlled process that is defined, monitored and enforced Preventative controls (segregation of duties) and detective controls (supervisory) are needed in combination

5 www.theiia.org 4 - Continuously Improving <5% of time spent on unplanned work<5% of time spent on unplanned work Change success rate is very highChange success rate is very high Service levels are world classService levels are world class IT operating costs are under controlIT operating costs are under control Can scale IT capacity rapidly with marginal increases in IT costsCan scale IT capacity rapidly with marginal increases in IT costs Change review and learning processes are in placeChange review and learning processes are in place Able to increase capacity in a cost- effective wayAble to increase capacity in a cost- effective way 3 - Closed-Loop Process 15-35% of time spent on unplanned work15-35% of time spent on unplanned work Some ticketing / workflow system in placeSome ticketing / workflow system in place Changes documented and approvedChanges documented and approved Change success rate is highChange success rate is high Service levels are good & becoming world classService levels are good & becoming world class Server-to-admin ratio is good, but not BoBServer-to-admin ratio is good, but not BoB IT costs are improving Security incidents downSecurity incidents down 2 - Using Honor System 35-50% of time spent on unplanned work35-50% of time spent on unplanned work Some technology deployedSome technology deployed You have the right vision but no accountabilityYou have the right vision but no accountability Server-to-admin ratio is way too lowServer-to-admin ratio is way too low IT costs are too high Process subverted by talking to the “right” peopleProcess subverted by talking to the “right” people 1 - Reactive Over 50% of time spent on unplanned workOver 50% of time spent on unplanned work Chaotic environment; lots of fire fightingChaotic environment; lots of fire fighting MTTR is very long; poor service levelsMTTR is very long; poor service levels Can only scale by throwing people at the problemCan only scale by throwing people at the problem Reactive Using The Honor System Closed-Loop Change Mgt Effectiveness Continuously Improving Based on the IT Process Institute’s “Visible Ops” Framework Changes control the organization: Organization controls the changes: Change Management Maturity

6 www.theiia.org Why Audit Change Controls? Increased regulatory requirements around IT controls –Increased focus from Audit Committee and Senior Management –Internal auditors responsible for providing IT controls assurance Technology is everywhere -- 80% of an organization’s IP is in electronic form –All business decisions result in at least one IT change. When changes are not controlled, they can impact the entire organization –According to analysts, 80% of all outages are due to change, Consequently, CAEs cannot delegate responsibility for IT change management to IT auditors

7 www.theiia.org Benefits of Good Change and Patch Management Processes Spend more time on new development work to advance business goals and objectives Reallocate IT staff resources to deliver new capabilities versus “putting out fires” Spend less time on unplanned IT work Less IT downtime Ability to install critical patches with minimal disruption

8 www.theiia.org Assessing Change & Patch Management Processes COSO ERM Model For Change & Patch Management CONTROL ACTIVITIES RISK ASSESSMENT MONITORING INFORMATION & COMMUNICATION INTERNAL ENVIRONMENT RISK RESPONSE RISK ASSESSMENT EVENT IDENTIFICATION OBJECTIVE SETTING Control Activities: Common Process in Place and Documented Effective Change Control Committee Structure Change Control Log Used Segregation of Duties Between Developers and Technical Staff Maintained Automated Controls to Enforce Process of Promoting Changes into Production Automated Process to Return Production Environment to Pre-change State Approved Configurations Documented Clear Delegation of Authority Documented Approvals for Changes Documented Automated System and Data Backups and Ability to Restore from Approved Environment Risk Assessment: Firm’s Strategic and Process Level Risk Assessments Consider Risks Associated with Out of Process (unintended or unauthorized) Changes Risks Due to Change Well Understood by IT Thorough Risk Assessment of All Proposed Changes Performed Business Continuity Planning in Place Internal Audit Assessment Performed Business Insurance Needs Assessment Performed Risk Factors Assessed to Determine Classification of the Change and Level of Testing and Approval Examples from GTAG

9 www.theiia.org Roles and Responsibilities Board of Directors / Governing Body –Audit Committee – consider organization’s ability to manage IT risks by monitoring deficiencies in critical processes such as change management Management – Define, approve, implement and execute IT change management processes –Roles vary for developers, operators, testers, approvers, and others Auditor –Internal Auditors – provide assurance to management –External Auditors – independent assessment to determine reliance on controls for preparing financial statements and complying with Sarbanes-Oxley

Download ppt "Www.theiia.org Change and Patch Management Controls Critical for Organizational Success Global Technology Auditing Guide 2."

Similar presentations

Organizational Governance

Organizational Governance
OPERATING EFFECTIVELY AT WESD. What is Internal Control? A process designed to provide reasonable assurance the organizations objectives are achieved.

OPERATING EFFECTIVELY AT WESD. What is Internal Control? A process designed to provide reasonable assurance the organizations objectives are achieved.
Internal Control–Integrated Framework

Internal Control–Integrated Framework
IMFO Audit & Risk Indaba June 2012

IMFO Audit & Risk Indaba June 2012
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems

Control and Accounting Information Systems
Www.theiia.org Continuous Auditing Global Technology Auditing Guide 3 Twelfth Continuous Auditing and Reporting Symposium Rutgers Business School November.

Continuous Auditing Global Technology Auditing Guide 3 Twelfth Continuous Auditing and Reporting Symposium Rutgers Business School November.
1 The critical challenge facing banks and regulators under Basel II: improving risk management through implementation of Pillar 2 Simon Topping Hong Kong.

1 The critical challenge facing banks and regulators under Basel II: improving risk management through implementation of Pillar 2 Simon Topping Hong Kong.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.

1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
The Islamic University of Gaza

The Islamic University of Gaza
Dr. Julian Lo Consulting Director ITIL v3 Expert

Dr. Julian Lo Consulting Director ITIL v3 Expert
Security Controls – What Works

Security Controls – What Works
Operational risk management Margaret Guerquin, FSA, FCIA Canadian Institute of Actuaries 2006 General Meeting Chicago Confidential © 2006 Swiss Re All.

Operational risk management Margaret Guerquin, FSA, FCIA Canadian Institute of Actuaries 2006 General Meeting Chicago Confidential © 2006 Swiss Re All.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
INTERNAL CONTROL. INTERNAL CONTROL DEFINED  INTERNAL CONTROL IS A PROCESS - EFFECTED BY AN ENTITY'S BOARD OF DIRECTORS, MANAGEMENT, AND OTHER PERSONNEL.

INTERNAL CONTROL. INTERNAL CONTROL DEFINED  INTERNAL CONTROL IS A PROCESS - EFFECTED BY AN ENTITY'S BOARD OF DIRECTORS, MANAGEMENT, AND OTHER PERSONNEL.
Chapter 4 Internal Control Bus 319 Accounting Information Systems.

Chapter 4 Internal Control Bus 319 Accounting Information Systems.
Governance1 Governance and Policy Tim Shimeall March 2006.

Governance1 Governance and Policy Tim Shimeall March 2006.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Quality evaluation and improvement for Internal Audit

Quality evaluation and improvement for Internal Audit

Similar presentations

Ads by Google