AI6 Change Standards and Procedures
Set up formal change management procedures to handle all requests (including maintenance and patches) in a standardized manner.
Illustrative Controls and the TIBCO LogLogic Solution
Managing changes addresses how an organization modifies system functionality to help the business meet its financial reporting objectives. Deficiencies in this area might significantly impact financial reporting. For example, changes to the programs that allocate financial data to accounts require appropriate approvals and testing before the change to ensure classification and reporting integrity.
Businesses must ensure that requests for program changes, system changes, and maintenance (including changes to system software) are standardized, documented, and subject to formal change management procedures.
To satisfy this control objective, administrators must review all changes to the production environment and compare the changes to documented approvals to ensure the approval process is followed. From the archived audit log data, obtain a sample of regular and emergency changes made to applications/systems to determine whether they were adequately tested and approved before being placed into a production environment. Trace the sample of changes back to the change request log and supporting documentation.
Review all changes to the production environment and compare the changes to documented approvals utilizing alerts and reports on policy modifications, groups activities, escalated privilege activities, and permissions changed.