Compliance 101: Change Control
A defined change management process will go a long way in ensuring that your company’s security environment addresses risk and is compliant in the long run.
Compliance 101: Change Control by
Understanding Change Controls
Change Control is a term describing the process of managing how changes are introduced into a controlled system. Having a defined change management process firmly in place will go a long way in making sure that your company’s security environment addresses risk and is compliant in the long run. Change control typically consists of at least the following five distinct phases:
- Plan/Scope what prospective change(s) are to be made. This stage should outline (document) what change(s) are required, who will make the change, how the change will occur, when it will be made and how success will be verified.
- Assess/Analyze what effects will the change(s) have. Risk assessment is a very important stage as making a change can potentially have a significant impact. All related areas should be accounted for.
- Review/Approval of an approval process is usually required in any change control model. The impact of the change is considered in the context of the business and the appropriate ‘owner’ either rejects or authorizes the change(s).
- Build/Test those responsible for actioning the change(s) should execute the change in a controlled manner (or environment) where it can be validated to ensure that the defined requirements are met and that no unforeseen issues occur. Implement the change(s) and the relevant stakeholder(s) review the desired outcome results.
When it comes to your security environment, these steps often include:
- Approving changes before they are made.
- Retaining documentation of approvals, including steps that involve self-monitoring and regular auditing of changes.
- Preventative controls to ensure that planned security changes are tested for the creation of SoD conflicts or unacceptable critical access BEFORE access is granted.
ALLOut Tip
The reporting used for critical access and user reviews touched on in previous articles (learn more here) can support the monitoring and auditing steps required to identify risk and non-compliance. Security change reports can be used to put monitoring controls in place so as to ensure adherence to policies around access approvals. Additionally, using ALLOut tools to automate change control steps and manage information within our JDE system can reduce risk and simplify audits.