Chapter 15. Governance Techniques
This chapter covers the need for, and use of, techniques such as change control reviews, operational reviews, and ISO 9000 reviews.
Change Control
Periodically the necessity arises to modify an existing hardware and/or software configuration as a result of:
Hardware changes as a result of performance improvements or reconfigurations caused by changes to other systems
Hardware failures during normal operations
The detection of a software error during normal operations
Changes to legislation affecting the organization’s business systems
A change to the business operation of the organization requiring alterations within the information systems
As a result of these changes in the environment, the extent of change required within the existing system configuration must be determined and the change applied in a controlled manner so as to avoid any undue disruption to normal processing. It is critical that during periods of change, the production versions of software are protected against unauthorized changes, untested changes, or even malicious changes.
Change control’s objective is to ensure risk is controlled, not introduced, during a change. This means ensuring that:
All changes are authorized
All authorized changes are made
Only authorized changes are made
All changes are as specified
All changes are cost effective
This control requires a coordinated effort involving managers, users, information systems personnel, and IS Auditors. An effective methodology for authorizing, ...
Get Auditor’s Guide to Information Systems Auditing now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
