Add to collection(s) Add to saved
  1. No category
Uploaded by Erika Paulina Navarro

Change-Management-Process-Checklist-using-the-COBIT-Control-Objectives

Best Practices to Align Your Change Management
Objectives with the COBIT Framework
Achieve compliance, create value and minimize risk.
The Control Objectives for Information and Related Technology (COBIT) framework enables organizations like
yours to achieve its strategic governance and management objectives while creating value and mitigating risk
down to a level that is acceptable for the business. Use this guide to help your organization develop, document
and implement a foundation for change management that adheres to COBIT control practices while meeting
the needs of your internal and external stakeholders.
Control no.
COBIT control practice
How to meet your control objectives
A16.1 Change standards and procedures
A16.1.1
Create a change management framework that specifies the
policies and processes for:
Align your change management practices with your
organization’s control objectives. This can be achieved when you:
• Roles and responsibilities
• Set role-based access that ensures your users only have the
access they need to perform their job role.
• Classification and prioritization
• Classify and track your changes by priority and risk.
• Assessment of impact
• Perform impact analysis for patches and object changes so
that you can measure the impact they will have downstream.
• Authorization and approval of all changes
• Ensure that the change process is followed and that all
changes are authorized and approved. Approval requests can
be automated to allow business and IT owners to review and
approve changes via email.
• Tracking and status changes
• Schedule status reports to run and for results to be sent to
stakeholders so they are informed throughout each step of
the process.
• Impact on data integrity
• Ensure that version and deployment automation changes are
completed consistently between environments, eliminating
issues you might have that result from human error.
A16.1.2
Establish and maintain control over all changes.
Ensure your solution enables you to natively version all of your
change objects as well as integrate with leading version control
management tools such as TFS, PVCS, SVN and GIT.
A16.1.3
Implement roles and responsibilities that involve business
process owners and the appropriate technical IT functions.
Ensure appropriate segregation of duties.
Define roles to accommodate those who require access to your
production environment. Ensure that access is only granted
following the principle of least privileged.
A16.1.4
Establish appropriate record management practices and audit
trails to record key steps in the change management process.
Ensure timely closure of changes. Elevate and report changes
to management that are not closed in a timely fashion.
Provide a complete security audit trail and track changes
throughout all phases of the process. Enable automatic
escalation to ensure that the appropriate people are notified
when you have overdue changes, tasks and/or status updates.
A16.1.5
Consider the impact of contracted services providers (for
example, infrastructure, application development and shared
services) on the change management process. Consider the
impact of the organizational change management process on
contractual terms and service-level agreements (SLAs).
Track all changes for a specific group such as consultants or
service providers outside the enterprise resource planning team
when you use the role, group membership or custom application
support functions. Support multiple change types, priorities and
resource tracking as well as measure and initiate changes by type,
priority or group as required by the specific SLA.
Software
Control no.
COBIT control practice
How to meet your control objectives
A16.2 Impact assessment, prioritization and authorization
A16.2.1
Develop a procedure to allow business process owners and IT
to request changes to infrastructure, systems or applications.
Develop controls to ensure that all such changes arise only
through the change request management process.
Define your change request types according to what is relevant
to your business. Ensure process alignment, compliance
and proper segregation of duties by setting the appropriate
workflow(s) for each change type, including the business, transfer
and status rules as well as the tasks, process flow, migration path
and approvals required by the business to mitigate risk.
A16.2.2
Categorize all requested changes (for example, infrastructure,
operating systems, networks, application systems, purchased/
packaged application software).
Streamline your workflow by categorizing changes according to
domain, application, change type, priority and status.
A16.2.3
Prioritize all requested changes. Ensure that the change
management process identifies both the business and
technical needs for the change. Consider legal, regulatory and
contractual reasons for the requested change.
Organize your changes according to its business and IT priority.
Track and report on change types, priorities and status to
ensure your changes are on time, within budget and meet the
established SLA guidelines.
A16.2.4
Assess all requests in a structured fashion. Ensure that the
Perform an impact analysis on patches and all objects.
assessment process addresses impact analysis on infrastructure, Automating this process enables you to conduct compliance
systems and applications. Consider security, legal, contractual
and security reviews throughout the workflow to ensure the
and compliance implications of the requested change. Consider change request is within scope and compliance with the defined
also interdependencies among changes. Involve business
processes and procedures.
process owners in the assessment process, as appropriate.
A16.2.5
Ensure that each change is formally approved by business
process owners and IT technical stakeholders, as appropriate.
Automate the approval process to ensure that all changes are
properly reviewed, prioritized and approved by the appropriate
stakeholders.
A16.3 Emergency changes
A16.3.1
Ensure that a documented process exists within the overall
change management process to declare, assess, authorize and
record an emergency change.
Document your emergency change workflow, including
reasoning, approvers and who executed the change, then
retain that information within the change request for your next
compliance audit.
A16.3.2
Ensure that emergency changes are processed in accordance
with the emergency change element of the formal change
management process.
Define your emergency change business, transfer and status rules
as well as notification and approval rules as necessary to ensure
they are in line with your business objectives.
A16.3.3
Ensure that emergency access arrangements for changes are
appropriately authorized, documented and revoked after the
change has been applied.
Capture access changes, migration approvals and migration
override details for emergency change events and append them
to the change request, ensuring they are reportable and auditable.
You should also establish an automated emergency change
workflow that fully documents the process and actions taken,
eliminating the need for additional access or overrides.
A16.3.4
Conduct a post-implementation review of all emergency
changes, involving all concerned parties. The review should
consider implications for aspects such as further application
system maintenance, impact on development and test
environments, application software development quality,
documentation and manuals, and data integrity.
Workflow and reporting capabilities enable you to conduct
post-implementation reviews to ensure that your change process
is aligned with your business objectives, and periodically make
changes to the process as necessary.
A16.4 Change status and tracking
A16.4.1
Establish a process to allow requestors and stakeholders to
track the status of requests throughout the various stages of
the change management process.
Select a solution that enables you to report on all phases of the
change process, including status, priority, approvers, applications,
types and objects.
A16.4.2
Categorize change requests in the tracking process (for
example, rejected, approved but not yet initiated, approved and
in process, and closed).
Demonstrate your compliance to the board and ensure you meet
regulatory mandates by categorizing, tracking and reporting on
all phases of the change process.
Software
Control no.
COBIT control practice
How to meet your control objectives
A16.4 Change status and tracking cont.
A16.4.3
Implement change status reports with performance metrics
to enable management review and monitoring of both the
detailed status of changes and the overall state (for example,
aged analysis of change requests). Ensure that status reports
form an audit trail so changes can subsequently be tracked
from inception to eventual disposition.
Provide your senior management and board with visibility into
the change process by providing them with metrics, security,
compliance, audit, disposition and statistics using the advanced
reporting capabilities.
A16.4.4
Monitor open changes to ensure that all approved changes are
closed in a timely fashion, depending on priority.
Proactively monitor the status of all changes throughout the
change lifecycle, and create personal and business rules that
provide automated notifications of status changes and
overdue tasks.
A16.5 Change closure and documentation
A16.5.1
Ensure that documentation — including operational procedures, Eliminate time-consuming processes associated with audit and
configuration information, application documentation, help
compliance by retaining documentation from the entire change
screens and training materials — follows the same change
lifecycle in a single repository.
management procedure and is considered to be an integral
part of the change.
A16.5.2
Consider an appropriate retention period for change
documentation and pre- and post-change system and user
documentation.
Retain all change management documentation, including object
versions, in a single, auditable file, and purge documents based
upon business requirements.
A16.5.3
Update business processes for changes in hardware or software
to ensure that new or improved functionality is used.
Review and refine your change controls and processes to ensure
their alignment with business processes and regulatory and
compliance mandates.
A16.5.4
Subject documentation to the same level of testing as the
actual change.
Empower your organization and meet your documentation
requirements by maintaining workflows, tasks logs and
attachment functionality.
© 2015 Dell Inc. All rights reserved. Dell, the Dell logo and Dell products are registered trademarks or trademarks of Dell Inc. Other trademarks and trade names may be used in this document to refer to
either the entities claiming the marks and names or their products. Dell disclaims proprietary interest in the marks and names of others. Dell publisher accreditations and/or partnership levels and services
can vary by country. Handout-COBITchecklist-US-VG-26637
Software
Related documents
Algebra 1 Ch.6 Notes Page 28 P28 6­3 Applying Linear Functions A16­3ApplyingLinearFunctions.notebook
Algebra 1 Ch.6 Notes Page 28 P28 6­3 Applying Linear Functions A16­3ApplyingLinearFunctions.notebook
Algebra 1 Ch.6 Notes Page 29 P29 6­4  Standard Form
Algebra 1 Ch.6 Notes Page 29 P29 6­4  Standard Form
Ax + By = C 2x + 3y = 6 Algebra 1 Ch.6 Notes Page 30
Ax + By = C 2x + 3y = 6 Algebra 1 Ch.6 Notes Page 30
Welcome to Web Treasure HUNT
Welcome to Web Treasure HUNT
Algebra 1 Ch.6 Notes Page 33 P33 6­3 Applying Linear Functions Modeling Situations Using Equations
Algebra 1 Ch.6 Notes Page 33 P33 6­3 Applying Linear Functions Modeling Situations Using Equations
y = 2x + 1 y = 2x + 3 Parallel Lines Algebra 1
y = 2x + 1 y = 2x + 3 Parallel Lines Algebra 1
Download