We are seeing findings related to change management cropping up in several audit reports this year. Appropriately scoping change management can be tricky in smaller financial institutions which do not code their own applications. In such cases, pointing to a third party or managed IT provider may cover many of the controls needed, such as coding, testing, back out plans, etc. However, the trick here, as always, is understanding the roles in the bank vs. third party. We all know very well that while we outsource the responsibility of performing the task the bank is still ultimately responsible for risk.
For each step below ensure it is covered in a policy and understand who is responsible for which step as well as the communication points between your bank and the third party to ensure your bank has the oversight needed to understand and manage the risk.
1. Risk rate your changes- this is where efficiency can really kick in. Low risk and standard changes can fast track through the process with appropriate documentation and approval. Significant rated changes, though, require the full gamut of the process because they are high risk prior to implementation. Also considered as high risk changes are emergency changes, but due to the emergency at hand we ask forgiveness so to speak, by creating the documentation and testing on the backend. Here’s a breakdown of the change types:
This doesn’t have to be a newly formed group, rather you may be able to leverage a current management level committee for this, such as an IT Steering Committee, just add an agenda item and voila, we have a CAB!
4. Train users on the changes, if significant. Don’t forget as we identify the changes to the system, and perhaps business processes that the users of the system may need training to execute their jobs. This should be discussed, planned where needed and approved by the CAB.
5. Document the changes- Since we’ve been doing all this great work, let’s take credit by documenting and showing the auditors and examiners how well we are doing! Documentation can be in a ticketing type system or documented and saved in files for a simpler environment. Documentation should include at least the following for each change:
Requirements- What changes are required? Why are these needed? How did we risk rate this change?
I hope this has helped to de-mystify and simply change management. If you need help with your change management policy or understanding the process, please contact us at support@bedelsecurity.com.
The Virtual CISO Whitepaper
https://www.bedelsecurity.com/the-virtual-ciso-whitepaper
The Perfect Meeting Agenda to Improve IT & Cyber Governance
https://www.bedelsecurity.com/blog/the-perfect-meeting-agenda-to-improve-it-cyber-governance
Your Information Security Program Needs Focus
https://www.bedelsecurity.com/blog/your-information-security-program-needs-focus
Two Essential Ingredients to Improve Your Information Security Program
https://www.bedelsecurity.com/blog/two-essential-ingredients-to-improve-your-information-security-program
The Gist of Governance
https://www.bedelsecurity.com/blog/the-gist-of-governance