CHAPTER FIFTEEN
Governance Techniques
THIS CHAPTER COVERS the need for, and use of, techniques such as change-control reviews, operational reviews, and International Standards Organization (ISO) 9000 reviews.
CHANGE CONTROL
Periodically the necessity arises to modify an existing hardware and/or software configuration as a result of:
- Hardware changes as a result of performance improvements or reconfigurations caused by changes to other systems
- Hardware failures during normal operations
- The detection of a software error during normal operations
- Changes to legislation affecting the organization’s business systems
- A change to the business operation of the organization requiring alterations within the information systems
As a result of these changes in the environment, the extent of change required within the existing system configuration must be determined and the change applied in a controlled manner so as to avoid any undue disruption to normal processing. It is critical that during periods of change, the production versions of software are protected against unauthorized changes, untested changes, or even malicious changes.
Change control’s objective is to ensure risk is controlled, not introduced, during a change. This means ensuring that:
- All changes are authorized
- All authorized changes are made
- Only authorized changes are made
- All changes are as specified
- All changes are cost effective
This control requires a coordinated effort involving managers, users, information systems ...
