Introduction to Change Management and SDLC

1 Introduction to Change Management and SDLCM anagement and SDLCS teve OwyoungDoug MohrlandSr. ManagerAudit ManagerKPMG LLP, IT AdvisoryOracle CorporationDiscussion topicsoWhy Change Management and its significanceoTypes of changes in production environmentoChange Management controlsoImpact of weak Change Management controloImpact of weak Change Management controloIntegrity managementoChange Management leading practicesoSoftware Development Life Cycle (SDLC)2 Why Change managementand its significance?Why Change Management and its significance? Change Management controlsImpact of types of changes in production environment231 Organization3 Impact of weak Change controlIntegrity managementChange Management leading practices4567 Software Development Life CycleOrganizationWhy Change managementand its significance?Why Change Management and its significance? Change Management controlsImpact of types of changes in production environment231 Total fraud losses in the United Statesestimated to be $994 billion in 2008Of all the computer crimes reported:Computer fraud4 Impact of weak Change controlIntegrity managementChange Management leading practices4567 Software Development Life CycleManagers11%14%18%12%31%OthersApplic ation ProgrammersClerical UsersStudentsComputer fraudOccupation75% - 90%computer crimecommitted by former or current employees(knowledgeable insiders)Why Change Managementand its significance?

2 Why Change Management and its significance? Change Management controlsImpact of types of changes in production environment231 Change Management it is significant because it helps an organization to be efficientAdapting tochangeControlling changeEffecting change5 Impact of weak Change controlIntegrity managementChange Management leading practices4567 Software Development Life CyclechangechangechangeTypes of changesChanges in production environmentNetwork EquipmentInternetTypes of changes in production environmentChange Management controlsImpact of Why Change Management and its significance?2316 Physical ControlImpact of weak Change controlIntegrity managementChange Management leading practices4567 Software Development Life CycleChange Management controlsPlanned/routine maintenance changes procedure and controlsChange Management controlsTypes of changes in production environmentImpact of Why Change Management and its significance?

3 2317 Impact of weak Change controlIntegrity managementChange Management leading practices4567 Software Development Life CycleChange Management controlsEmergency/System Recovery Change procedure and controlsChange Management controlsTypes of changes in production environmentImpact of Why Change Management and its significance?231 Approved by Management or by the staff managing the production systems?EMERGENCY CHANGESThe Change requestor solicits Management approval (verbal is acceptable)Implement Change into productionThe changes and the back out plans Notify all the constituents before production implementationNoCHANGE REQUESTORR equest a Change (complete Test required?YesNoYesYes8 Impact of weak Change controlIntegrity managementChange Management leading practices4567 Software Development Life CycleSYSTEM RECOVERYThe production support staff immediately respond and start resolving the issuePerform testing (test environment)The staff managing the production systems perform professional judjment and make a decision whether to proceed or cancel the emergency Change Test passed?)

4 Back out plans should be documented in the Change Request Form for later Management reviewPerform post implementation monitoringRequest a Change (complete an Emergency Change Request Form)YesNoImpact of weak Change controlsImpact of types of changes in production environmentChange Management controlsWhy Change Management and its significance?2341oFinancial loss Brand/reputational damage Losing a customer/ businessoLegal exposure (sensitive data disclosure)oUnplanned, unauthorized and 9weak Change controlIntegrity managementChange Management leading practices4567 Software Development Life CycleoUnplanned, unauthorized and undocumented changes oProne to system attack / outages (DoS)oMisuse of resources (unplanned work)Integrity managementTypes of changes in production environmentChange Management controlsImpact of weak Change Why Change Management and its significance?2341oPrevention Restrict logical access Firewall, IDS, OS and Application Unnecessary services Disable at the servers Block by the firewalls10 Integrity managementweak Change controlChange Management leading practices4567 Software Development Life Cycle Block by the firewalls Restrict physical access Restrict physical access that houses critical systems to ONLY authorized employees Perform periodic physical access reviewsIntegrity managementTypes of changes in production environmentChange Management controlsImpact of weak Change Why Change Management and its significance?

5 2341oDetection Monitor metadata and look for changes Create, store and monitor baseline metadata values Metadata values: modification time, file size and cryptographic checksum Integrity Management Software11 Integrity managementweak Change controlChange Management leading practices4567 Software Development Life Cycle Integrity Management Software Reads files or directories to monitor critical network configuration, data files, customer database files, documents and spreadsheets Takes action when a violation ( Change ) occurs Intrusion detection (IDS)Integrity managementTypes of changes in production environmentChange Management controlsImpact of weak Change Why Change Management and its significance?2341oRecovery Maintain a backup copy of the production data Identify changes based on the Integrity Management Software report12 Integrity managementweak Change controlChange Management leading practices4567 Software Development Life CycleManagement Software report Determine whether a Change is authorized or not Restore a file if the Change is deemed unauthorized or maliciousChange Management leading practicesTypes of changes in production environmentChange Management controlsImpact of weak Change Why Change Management and its significance?

6 2341oChange Management policy, procedure and standardsoChange request managementoApproval processoDeployment management13 Change Management leading practicesweak Change controlIntegrity management4567 Software Development Life CycleoDeployment managementoChange result managementoMonitor application and networksChange Management leading practicesTypes of changes in production environmentChange Management controlsImpact of weak Change Why Change Management and its significance?2341 Change Management policy, procedure and standardsoPrioritize/categorize changes based on downtime, lead time, type of services and severity of the Change (Low, Medium, High Urgent)oRoles and responsibilities Define and designate qualified personnel s roles14 Change Management leading practicesweak Change controlIntegrity management4567 Software Development Life Cycle Define and designate qualified personnel s roles Segregation of duties (SOD) Communication Enforce Change - Management processChange Management leading practicesTypes of changes in production environmentChange Management controlsImpact of weak Change Why Change Management and its significance?

7 2341 Change Request ManagementoChange Request Analysis Business Analysis The likelihood of success Significance to business Resources required and business justification Technical Analysis System dependencies15 Change Management leading practicesweak Change controlIntegrity management4567 Software Development Life Cycle System dependencies Technical requirement Project estimateoChange Request Reporting Make the Change requests visible to Management Retain status of the Change request when it is analyzed, prioritized, tested and deployedChange Management leading practicesTypes of changes in production environmentChange Management controlsImpact of weak Change Why Change Management and its significance?2341 Approval ProcessoAppropriate approval should be obtained between the different phases of Change Management processoManagement approval should be documented16 Change Management leading practicesweak Change controlIntegrity management4567 Software Development Life CycledocumentedChange Management leading practicesTypes of changes in production environmentChange Management controlsImpact of weak Change Why Change Management and its significance?

8 2341 Deployment ManagementoLogical environment (separate) Development, Test/QA and ProductionoDeployment process High category changes Low/Medium category changes17 Change Management leading practicesweak Change controlIntegrity management4567 Software Development Life Cycle Low/Medium category changes Emergency changesoLeverage Technology To provide auditability and versioning throughout the deployment processChange Management leading practicesTypes of changes in production environmentChange Management controlsImpact of weak Change Why Change Management and its significance?2341 Result managementoKey Performance Indicators (KPI) about the entire Change Management Process Process bottlenecks, successful techniques, the KPIs (by Management ) to make 18 Change Management leading practicesweak Change controlIntegrity management4567 Software Development Life CycleoUse the KPIs (by Management ) to make adjustments to the Change Management procedure and practicesoPost Change implementation monitoringChange Management leading practicesTypes of changes in production environmentChange Management controlsImpact of weak Change Why Change Management and its significance?

9 2341 Monitor application and networksoIntegrity checks using automated monitoring tools Incident response Escalation process19 Change Management leading practicesweak Change controlIntegrity management4567 Software Development Life CycleoPeriodic reviews User access OS, apps, network, etc. System configuration servers, network equipment, Development Life CycleRelationship between Change Management and SDLCT ypes of changes in production environmentChange Management controlsImpact of weak Change Why Change Management and its significance?2341oManaging Change is a critical component of any SDLC model Change Management and SLDC are not mutually exclusiveoChange Management occurs throughout the development life cycleoCost of changes is higher once out of 20 Software Development Life Cycleweak Change controlIntegrity management4576 Change Management leading practicesoCost of changes is higher once out of developmentSoftware Development Life CycleRelationship between Change Management and SDLCT ypes of changes in production environmentChange Management controlsImpact of weak Change Why Change Management and its significance?

10 2341oWaterfall model21 Software Development Life Cycleweak Change controlIntegrity management4576 Change Management leading practicesSoftware Development Life CycleRelationship between Change Management and SDLCT ypes of changes in production environmentChange Management controlsImpact of weak Change Why Change Management and its significance?2341oIterative model Agile Methodology Rational Unified Process (RUP) Rapid Application Development (RAD) Joint Application Development (JAD)22 Software Development Life Cycleweak Change controlIntegrity management4576 Change Management leading practicesSoftware Development Life CycleRelationship between Change Management and SDLCT ypes of changes in production environmentChange Management controlsImpact of weak Change Why Change Management and its significance?2341 Mange ChangeoPrototyping23 Software Development Life Cycleweak Change controlIntegrity management4576 Change Management leading practicesSoftware Development Life CycleRelationship between Change Management and SDLCT ypes of changes in production environmentChange Management controlsImpact of weak Change Why Change Management and its significance?