IT Change Management Process

Download Free Change Management Process

Identify Change
The first step of the Change Management process begins with a person or process associated with the information system identifying a need for a change. The change can be initiated by numerous individuals, such as users or system owners, or they may be identified by audit findings or other reviews. A change may consist of updating the fields or records of a database to upgrading the operating system with the latest security patches. Once the need for a change has been identified, a change request should be submitted to the appropriate decision-making body.

Evaluate Change Request
After initiating a change request, the effects that the change may have on the system or other interrelated systems must be evaluated. An impact analysis of the change should be conducted using the following as a guideline:
• Whether the change is viable and improves the performance or the security of the system;
• Whether the change is technically correct, necessary, and feasible within the system constraints;
• Whether system security will be affected by the change;
• Whether associated costs for implementing the change were considered; and
• Whether security components are affected by the change.

Implementation Decision
Once the change has been evaluated and tested, one of the following actions should be taken:
• Approve. Implementation is authorized and may occur at any time after the appropriate authorization signature has been documented.
• Deny. Immediate denial of the request regardless of circumstances and information provided.
• Defer. Immediate decision is postponed until further notice. In this situation, additional testing or analysis may be needed before a final decision can be made.

Implement Approved Change Request
Once the decision to implement the change has been made, it should be moved from the test environment into production. If required, the personnel updating the production environment should be separate from those individuals that developed the change to provide a greater assurance that unapproved changes do not get implemented into production.

Continuous Monitoring
The Change Management process calls for continuous system monitoring to ensure that it is operating as intended and that implemented changes do not adversely impact either the performance or security posture of the system. Agencies can achieve the goals of continuous system monitoring by performing configuration verification tests to ensure that the selected configuration for a given system has not been altered outside of the established Change Management process. In addition to configuration verification tests, agencies can also perform system audits. Both configuration verification tests and system audits entail an examination of characteristics of the system and supporting documentation to verify that the configuration meets user needs and ensure that the current configuration is the approved system configuration baseline.