II.C.10     Change Management Within the IT Environment

Action Summary

Management should have a process to introduce changes to the environment in a controlled manner. Changes to the IT environment include the following:

  • Configuration management of IT systems and applications.
  • Hardening of systems and applications.
  • Use of standard builds.
  • Patch management.

The IT environment consists of operating systems,An operating system is fundamental software that supports and manages software applications, allocates system resources, provides access and security controls, maintains file systems, and manages communications between end users and hardware devices. middleware,Middleware is software that connects two or more software components or applications. applications, file systems, and communications protocols. The institution should have an effective process to introduce application and system changes, including hardware, software, and network devices, into the IT environment. The process for introducing software should encompass securely developing, implementing, and testing changes to both internally developed and acquired software.

Application and system control considerations for introducing changes to the IT environment before implementation should include the following:

  • Developing procedures to guide the process of introducing changes to the environment.
  • Clearly defining requirements for changes.
  • Restricting changes to authorized users.
  • Reviewing the impact that changes have on security controls.
  • Identifying all system components affected by the changes.
  • Developing test scripts and implementation plans.
  • Performing necessary tests of all changes to the environment (e.g., systems testing, integration testing, functional testing, user acceptance testing, and security testing).
  • Defining rollback procedures in the event of unintended or negative consequences with the introduced changes.
  • Ensuring the application or system owner has authorized changes in advance.
  • Maintaining strict version control of all software updates.
  • Validating that new hardware complies with institution policies.
  • Ensuring network devices are properly configured and function appropriately within the environment.
  • Maintaining an audit trail of all changes.

Refer to the IT Handbook's "Development and Acquisition" booklet for more information.


Previous Section
II.C.9(a) Wireless Network Considerations
Next Section
II.C.10(a) Configuration Management