Routine modifications involve making changes to application or operating system software to improve performance, correct problems, or enhance security. Routine modifications can be simple or complex, but are not of the magnitude of major modifications and can be implemented in the normal course of business.
Routine change standards should include change request, review, and approval procedures and require management to plan, test, and document all changes prior to implementation. Well defined implementation plans, which often include automated deployment tools, are especially important for large organizations that must implement changes over numerous or widely dispersed networks. Change standards should also address communication procedures to ensure management quickly notifies affected parties of all changes.
Organizations should coordinate software modifications and patches through a centralized change management process. Centralized oversight is necessary due to the interdependence of technology systems and operations. Large institutions should consider using specialized change control committees to coordinate activities. Smaller institutions can often use technology steering committees to effectively manage the process. Oversight committees help clarify request requirements and help ensure all departments are aware of pending changes. The committees should include sufficient representation from business, technology, security, quality assurance, and audit departments to ensure changes support business objectives and do not adversely affect operations or security.
Management should review all proposed changes to ensure modifications are appropriate for the system involved. Additionally, management should ensure modified programs are compared to change authorization documents to determine that only approved changes were implemented. The absence of sound controls and accurate documentation can cause problems when management installs subsequent systems. Standard change request forms, library and version controls, and spreadsheets or automated change logs facilitate management's ability to track, report, and analyze changes. Comprehensive change logs are a prerequisite to all change control processes.
Change request forms should provide an accurate chronological record and description of all changes. The forms should provide sufficient information for affected parties to understand the impact of a change and include:
- Request date;
- Requestor's name;
- Description of change;
- Reasons for implementing or rejecting a change;
- Justification for change;
- Approval signature(s); and
- Change control number.
If a change request is approved, the request form should be submitted to the appropriate technology department. The organization should develop additional documentation during the change process that includes:
- Priority information;
- Identification of affected systems, databases, and departments;
- Name of individual responsible for making the change;
- Resource requirements;
- Projected costs;
- Projected completion date;
- Projected implementation date;
- Potential security and reliability considerations;
- Testing requirements;
- Implementation procedures;
- Estimated downtime for implementation;
- Backup/Back-out procedures;
- Documentation updates (program designs and scripts, network topologies, user manuals, contingency plans, etc.);
- Change acceptance documentation from all applicable departments (user, technology, quality assurance, security, audit, etc.); and
- Post-implementation audit documentation (comparison of expectations and results).
After program modifications are completed, all program codes (source code, object code, patch code, load module, etc.) should be secured. Securing the codes provides some assurance that the programs cataloged to production environments are unaltered versions of the approved and tested programs. Management should establish program approval standards that include procedures for verifying test results, inspecting modified code, and confirming source and object codes match.