Why change management needs review by IT security

In 2015, nearly 100 million healthcare records were compromised, according to an IBM Study. It is an eye-opening statistic to which more healthcare organizations need to pay attention. Unfortunately, investigations conducted by the HHS Office for Civil Rights often reveal that healthcare organizations fail to implement policies and procedures to prevent security violations or effectively manage risk.

Facing such staggering breaches, these organizations must enable corrective action plans with a formal Information Security Policy, as well as a comprehensive risk management plan that includes IT change management policies and procedures.

Traditionally, organizations minimally practice some aspects of change management in the form of planning and testing, but often there is a lack of formalization and consistency or a culture of believing that circumventing the change management process will allow things to work more efficiently. As a result, organizations that don't properly manage IT changes lose time, money and efficiency, but more importantly, can increase their susceptibility to breaches.

IT change management is the practice of ensuring all IT changes are carried out in a planned and authorized manner. This includes ensuring that there is a business reason behind each change, identifying the specific configuration items and IT services affected by the change, testing the change, and having a plan to reverse course if a change causes an unexpected result. The primary purpose of IT change management is to prevent unintentional outcomes from negatively impacting the organization and ensuring that any IT change is implemented according to an approved process.

Information security should be embedded into the change management process to ensure that all changes have been assessed for risks. This includes assessing the potential for introducing new vulnerabilities into the environment and the potential business impacts that could occur if a change produces undesired results. Changes will always involve some amount of risk, but risk can be minimized if changes are adequately reviewed, assessed and coordinated through a formal change management process.

One of the biggest challenges is gaining buy-in from users so that they follow the change management process and not circumvent it. Change management helps avoid problems by increasing upfront communication and identifying issues before they happen. Without direct oversight and monitoring of change management across every system, device and application, organizations cannot holistically protect against internal or external security and risk issues occurring throughout their environment.

There are key steps in an effective change management process:

• Document and implement a change management policy and procedure and ensure the process oversees and monitors all changes to existing and new technologies such as servers, desktops, applications and databases.
• Establish a detailed process flow for applying the change with back-out plans and integrate security reviews prior to a change and post introduction to validate installation is consistent with security requirements.
• Define and assign roles and responsibilities to coordinate, document, communicate and approve change requests and ensure that only those individuals authorized to carry out a change, has the relevant access and that all necessary approvals are received prior to a change being introduced.
• Establish and regularly assemble a Change Advisory Board, composed of technical and business membership, while communicating change plans to all stakeholders within a reasonable time prior to the scheduled change.
• Test the change in a non-production environment prior to implementing any change in the production environment.
• Ensure the asset inventory is updated whenever a technology is added, modified or removed from the environment, including the installation of software and software patches to provide an accurate and complete view of organizational assets.
• Provide ongoing training and communications to ensure users thoroughly understand and follow the change management process and its value to the organization.
• Track approvals, decisions and variances in a change management repository including the associated rationale behind decisions made and ensure all changes are carefully documented.
• Establish metrics to provide a process baseline, determine the effect of process improvements, identify areas where the process may be ineffectual or broken, and assess improvements that could make the process more effective or efficient.

The change management process is designed to provide an effective means of reviewing, assessing and coordinating changes to promote the intended consequences of change while minimizing the potential consequences of change. There are a number of other benefits offered by effective and efficient change management, including risk mitigation, architectural integrity, encouraging a business-oriented focus, and the long-term automation of routine tasks.

Effective change management helps prevent negative impacts from occurring by providing the right amount of time and expertise to properly balance the risk and reward of change. Better communications between users and the IS organization will result in greater understanding of each other's needs and priorities, while highlighting that business units do not operate in isolation.

Organizations that properly manage their change processes have significantly higher IT service quality than those that do not. As a result, change management is a prerequisite and not an option to providing high IT service quality.