Chapter 3.10 the focuses on the need for systems and infrastructure life cycle management. The IS auditor has to get good knowledge about how the organization evaluates, implements, maintains and also disposes off its IT systems and IT related components. CISA candidates are therefore expected to have a mastery of the following aspects not just by definition but must be in position to understand the kind of risk or rather risks that each of the elements may cause hence the solutions to mitigate the problems. The key concepts that the CISA students’ needs to know are; benefits realization by the management, which is the process by which the organization or rather the business evaluates matters related to technology as applied in the business practices. Here the business focuses on the technological solutions to the business situations or rather the business problems. A problem is identified, technological solutions are suggested and the most suitable are identified to be implemented. There are very many concepts in this chapter but due to time and space this paper won’t be able to explain all of them. Though it will be very vital to mention them for understanding. Another very important element useful to the CISA candidate is the project portfolio that is the record of all the projects being undertaken in a business at a given point of time. This is stated at a particular time of the business operation. A program is therefore the group of projects that are linked together in the business operation and this therefore forms the portfolio program that is always managed by the project management office.
Management of infrastructure as a multifunctional system, expected to provide and support a wide range of service s over an extended period of time, represents a radical departure from past practices that have focused on individual modes. In practice, infrastructures are often kept in service much longer. The demand for infrastructure depends on a wide range of economic and social activities, environment constraints, technological options, and societal priorities.
Chapter 3.10 talks about change management during the IS maintenance practices which make sense since the maintenance phase is so similar to the whole SDLC. Users should convey system change requests to the system management by using formal change request form, and implement changes after the change request is approved. Testing after changes is always important as well as documentation, which should be stored offsite in case of disasters occurs. My main take away would be the audit program changes which including access to program libraries should be restricted, supervisory review should be conducted, change requests should be approved and documented, the potential impact of changes should be assessed, and the change request should be documented on a standard form, conduct a sample of the program changes, and determine the changes before update the productions to ensure the possession of the change request form. As IT auditors, we all know how important change mangement is, and the purpose of auditing this is to protect the system from unauthorized changes.
I agree, change management is extremely important for the health of the system, each change request should be monitored and documented before implemented. The potential impact of the change has to be assessed before being adapted into the system.
Hi Shuyue, I think change management is quite important as well. Change manage record changes from events and issues, and track status. Configure automated workflows and notifications to improve communication and understanding between IT and business. Also, assign, calculate, and analyze change metrics to continuously optimize the change process to avoid and monitor any suspicious activities.
In a very similar fashion to the segment of the NIST 800-64 publication on “Security Considerations in the SDLC” that we were assigned to read, module 3.10 in the CISA provides a detailed account of the inner-workings of the maintenance phase of the software development life cycle. What this module provides over the article, however, is an interesting look at how best to ensure compliance in the maintenance phase, such as providing redundancy for critical documentation used during the maintenance and disposal phases of the software development life cycle. I also appreciate the details that they included in this module in regards to the standard steps often followed and enforced in the maintenance phase, which includes receiving and going through the bureaucratic steps to approve information system changes.
One point is that the distributed systems like point-of-sale systems have challenges in ensuring changed programs are rolled out to all nodes. The rollout may be performed over a long period of time to enable controls to be exercised over conversion of data, training of staff who will be using the changed software, support to be provided to users of the changed system, reduction of the risk associated with changing all nodes at the same time and all out if wrong. Controls must ensure that all nodes are eventually updated.
CISA 3.10 discusses maintenance practices and the change management process. Maintaining a system is as important as its development. Since technology advancements are announced almost every week, maintenance is necessary so that the system stays up-to-date. A formal process is started for performing and recording changes. A documented change management form must be submitted for all requested changes. The change request must be submitted by end users, operational staff and system development/maintenance staff. All change management forms must be submitted in compliance with the change management process so that enough time is available for authorized personnel to review the request and make the decision to approve or deny the request. The records associated with each requested change should exist manually or automatically.
Hello,
After reading through your thoughts and conceptual take-aways of the CISA textbook 3.10 module, it became apparent that you developed a thorough understanding of how compliancy is meant to be kept while going through the phases of the change management process. Going into vivid detail while explaining the compliant method of going through the phases significantly benefited my understanding of what is to be expected in regards to enforcing procedure and properly documenting changes made to the system. I can also appreciate your inclusion of storing and securing said documentation, as it can help significantly mitigate the damages of a critical system error.
Chapter 3.10 focuses on change management process overview. As I have learned through ITACS program, change of management if not careful, can cause a good amount of chaos because you do not want to authorize the wrong person or documented the wrong thing. And documenting is exactly one section the chapter is talking about.
To ensure the effective utilization and future maintenance of a system, it is important that all relevant system documentation be updated. Procedures should be in place to ensure that documentation stored offsite for disaster recovery purposes is also updated.
Unauthorized access could also occur if a user attempts to access an area of a system they should not be accessing. When attempting to access that area, they would be denied access and possibly see an unauthorized access message. Some system administrators set up alerts to let them know when there is an unauthorized access attempt, so that they may investigate the reason. These alerts can help stop hackers from gaining access to a secure or confidential system. Many secure systems may also lock an account that has had too many failed login attempts.
This chapter ensure that us understand and can provide assurance that the management practices for development. testing ,implementation, maintenance and disposal of system and infrastructure will meet the organization’s objectives.
The project manager needs to determine:The various tasks that need to be performed to produce the expected business application system, the sequence or the order in which these tasks need to be performed
Hello Xinye,
It is true that quality assurance is important in an information system so the company could achieve its objective. A project manager needs to document and plan things accordingly to minimize cost and failures. System documentation needs to be updated frequently.
Under the CISA chapter 3.10 “Information System Maintenance Practices”, I found the Emergency Changes topic particularly very interesting. Emergency changes are those changes which requires immediate restoration of services due to an incident or a change that needs to be implemented quickly in order to avoid one. IS auditor need to pay particular attention that emergency changes are handled in an appropriate and transparent manner because emergency changes involves the use of special logon IDs and Firefighter ID’s that grants temporary access to the production environment.
The number of Emergency Changes should be kept to an absolute minimum, with every Emergency Change being reevaluated after implementation to determine whether it was actually an Emergency Change, and if not, how to prevent such changes from being processed as Emergency Changes in the future.
Emergency Change exists only to address the needs of the organization when normal Change Management can’t be followed, generally due to time constraints and risks involved. There is no magic wand that will solve all of the specifics, and each organization should find the solution that fits best into their own operational model; prompt and efficient handling of all changes will serve to minimize the impact of change-related incidents on service quality.
I agree to your point that Emergency changes are not like magic wands but it is extremely important to understand the criticality of the emergency changes because when an emergency access is granted, the user will get a complete control over the production environment so the emergency change should be closely monitored by the business owners.
I see your point- every organization will be different when it comes to how they manage changes. I kind of see the fact that emergency change exists as being a risk itself, since the user is given a substantial amount of privilege in order to implement any changes. Also, I find that typically when something is done in haste, there is a greater potential for error. So, while an emergency change can help mitigate a risk, there is also the possibility of something falling through the cracks since that change might affect another part of the business process.
The five phases of a project constitute the project management life cycle. In project management, there are five phases: initiating, planning, executing, controlling and closing. Throughout these project phases there is a need to constantly monitor and report, which is where project management tools come in.
Initiation is the five phases of a project constitute the project management life cycle.
Planning will start how to manage the project so it can achieve its goals within budget and on time. It includes what resources are needed, financing and materials.
Execution is time to start the project. Follow the plan the created, assign the tasks to team members and manage and monitor their progress with project management tools.
Monitor and control to ensure that the project plan is being actualized, all aspects of the project must be monitored and adjusted as needed.
Close is the last phase of the project is closing it out. This involves another set of processes which is scope and administration. Make sure the project deliverables have been completed as planned. Close out all outstanding contracts and administrative matters, archive the paperwork and disseminate to proper parties.
Hi Zhu Li, I think you are right. The planning phase is also where you expedite your team on board, as a rule with a venture kickoff meeting. It is imperative to have everything sketched out and clarified with the goal that colleagues can rapidly get the chance to work in the following stage. Also, it is important to identify the project timeline, including the phases of the project, the tasks to be performed, and possible constraints for the planning phase,
I think change management is an important topic for IT auditors. The Change Management process is intended to help control the existence cycle of a key, strategic, and operational changes to IT benefits through institutionalized strategies. The objective of Change Management is to control chance and limit disturbance to related IT administrations and business tasks. This would help the organization to mitigate the risks. One point that I took away is about Testing Changed Programs. The testing would require to ensure existing functionality is not damaged by the change, system performance is not degraded because of the change, and no security exposure have been created because of the change.
Great comments. I agree with you that the concept of change management is an important takeaway from this chapter. In this CISA Chapter 3.10, the “change management process” with regards to a focus on the maintenance side of the SDLC.
It shows the need for systems and infrastructure life cycle management. For an IS auditor to provide assurance that an enterprise’s objectives are being met by the management practices of its systems and infrastructure, it is important to understand how an organization evaluates, develops, implements, maintains and disposes of its IT systems and related components. CISA candidates should have a sound understanding of the following items, not only within the context of the present chapter, but also to correctly address questions in related subject areas.
In the CISA Chapter 3.10, it mentions the importance of configuration management in the information systems maintenance phase. Configuration management performs a series of measures to control and regulate software products and their development process and life cycle through technical or administrative means. The goal of configuration management is to document the evolution of software products to ensure that software developers are accurately configured at all stages of the software lifecycle. Good configuration management can make software development process more predictable and software system more repeatable. Because the configuration management process directly connects the product development process, the developer, and the final product, which are the focus of the project manager, the configuration management system also plays an important role in software project management.
Chapter 3.10 of the CISA Manual touches upon the “change management process” with regards to a focus on the maintenance side of the SDLC. The maintenance step of the SDLC occurs after implementation and is there to ensure the usability and effectiveness of the Information System, application, or product after the initial release. If a bug pops up in the software of if the system crashes, continual maintenance is needed to ensure that the bug is fixed and that the system is operational. The critical point to preventing too much maintenance and ensuring the overall usability of the system lies with the change management process. AS a good IS auditor implements a sufficient Change management plan, the effectiveness of the system and its overall processes will be increased and the bug and unexpected alerts should be mitigated.
In Chapter 3.10, it focuses on change management during the maintenance phase and the similarities it has with the whole SDLC. Maintenance is as important as development because with the completion of each iteration, a new change will pop up so the system can stay up to date. The process starts with the submission of a change request, and then these request forms are approved or denied. The module focsuses on the critical documentation needed for each request and to ensure compliance with the system with the approved request.
I agree, The maintenance process never seems to end as long as the application is in use. I also agree with you that maintenance is as important as development.
Chapter 3.10 focuses on change management. It adds the significance of proper change documentation. With each new stage of development, there is a new possibility for maintenance. There has to be documentation for each proposal of change. This could include a change in design, a patch, a new feature, etc… Maintenance truly never ends. Testing can never truly be 100% so you can never truly know 100% of possible issues that might arise. Because of this, you can never truly be at rest when it comes to maintenance.
Agreed, Panayiotis. Due to the rapid growth of technology and new technology being introduced all the time, maintenance of an information system becomes imperative. This is because the systems need to stay up-to-date to support the business, as well as, stay in compliance with government laws and regulations. Therefore, change management is a never-ending process. Requested and applied changes must be documented to avoid disruption.
Agreed, Panayiotis. Due to the rapid growth of technology and new technology being introduced all the time, maintenance of an information system becomes imperative. This is because the systems need to stay up-to-date to support the business, as well as, stay in compliance with government laws and regulations. Therefore, change management is a never-ending process. Requested and applied changes must be documented to avoid disruption.
Emergency changes are sometimes necessary to resolve a current issue within a system in order to prevent a possible system/application failure. We can understand the importance of having the ability to make these expedited changes, however, IS auditors should pay a little more mind to this area to ensure that these changes were appropriate for the system. Moreover, auditors should review whether this change was an emergency change or not, and how often the event of emergency change occurs within an organization’s information system. While we shouldn’t assume that every person has malicious intent, auditors should keep a certain level of skepticism regarding procedures like emergency change, since it grants access directly to the production environment and could potentially be damaging to the company.
Hi, Sarah
I cannot agree more that auditors should focus more on determine whether the emergency is necessary or not, and the company’s IT environment would be unstable if there were a relatively larger number of emergency changes. IT auditors would find out the root causes, and it could be poor policy design or unauthorized changes.
Sarah, Thanks for discussing about the importance of skeptism. Information security auditors are required to exercise the attitude of professional skeptism which requires a questioning mind and a critical assessment of audit evidence through out the audit process. The auditor neither assumes that management is dishonest nor assumes unquestioned honesty. In exercising professional skepticism, the auditor should not be satisfied with less than persuasive evidence because of a belief that management is honest.
CISA Chapter 3.10 introduces “information systems maintenance practices.” System maintenance practices refer primarily to the process of managing change to application systems while maintaining the integrity of both the production hardware and application source and executable code. In this section, the most important context is to understand the document of change request and know how to use it. This document has 6 sections, which are contents, usage guidance, general RFC data, the scope of change, approval/rejection, and postimplementation review. It is a formal document in either case, so the IS auditor should determine before the update whether procedures exist to ensure possession of the change request form.
Feng Gao says
Chapter 3.10 the focuses on the need for systems and infrastructure life cycle management. The IS auditor has to get good knowledge about how the organization evaluates, implements, maintains and also disposes off its IT systems and IT related components. CISA candidates are therefore expected to have a mastery of the following aspects not just by definition but must be in position to understand the kind of risk or rather risks that each of the elements may cause hence the solutions to mitigate the problems. The key concepts that the CISA students’ needs to know are; benefits realization by the management, which is the process by which the organization or rather the business evaluates matters related to technology as applied in the business practices. Here the business focuses on the technological solutions to the business situations or rather the business problems. A problem is identified, technological solutions are suggested and the most suitable are identified to be implemented. There are very many concepts in this chapter but due to time and space this paper won’t be able to explain all of them. Though it will be very vital to mention them for understanding. Another very important element useful to the CISA candidate is the project portfolio that is the record of all the projects being undertaken in a business at a given point of time. This is stated at a particular time of the business operation. A program is therefore the group of projects that are linked together in the business operation and this therefore forms the portfolio program that is always managed by the project management office.
Zhu Li says
Management of infrastructure as a multifunctional system, expected to provide and support a wide range of service s over an extended period of time, represents a radical departure from past practices that have focused on individual modes. In practice, infrastructures are often kept in service much longer. The demand for infrastructure depends on a wide range of economic and social activities, environment constraints, technological options, and societal priorities.
Shuyue Ding says
Chapter 3.10 talks about change management during the IS maintenance practices which make sense since the maintenance phase is so similar to the whole SDLC. Users should convey system change requests to the system management by using formal change request form, and implement changes after the change request is approved. Testing after changes is always important as well as documentation, which should be stored offsite in case of disasters occurs. My main take away would be the audit program changes which including access to program libraries should be restricted, supervisory review should be conducted, change requests should be approved and documented, the potential impact of changes should be assessed, and the change request should be documented on a standard form, conduct a sample of the program changes, and determine the changes before update the productions to ensure the possession of the change request form. As IT auditors, we all know how important change mangement is, and the purpose of auditing this is to protect the system from unauthorized changes.
Mei X Wang says
Hi Shuyue,
I agree, change management is extremely important for the health of the system, each change request should be monitored and documented before implemented. The potential impact of the change has to be assessed before being adapted into the system.
Yuqing Tang says
Hi Shuyue, I think change management is quite important as well. Change manage record changes from events and issues, and track status. Configure automated workflows and notifications to improve communication and understanding between IT and business. Also, assign, calculate, and analyze change metrics to continuously optimize the change process to avoid and monitor any suspicious activities.
Imran Jordan Kharabsheh says
In a very similar fashion to the segment of the NIST 800-64 publication on “Security Considerations in the SDLC” that we were assigned to read, module 3.10 in the CISA provides a detailed account of the inner-workings of the maintenance phase of the software development life cycle. What this module provides over the article, however, is an interesting look at how best to ensure compliance in the maintenance phase, such as providing redundancy for critical documentation used during the maintenance and disposal phases of the software development life cycle. I also appreciate the details that they included in this module in regards to the standard steps often followed and enforced in the maintenance phase, which includes receiving and going through the bureaucratic steps to approve information system changes.
Haixin Sun says
One point is that the distributed systems like point-of-sale systems have challenges in ensuring changed programs are rolled out to all nodes. The rollout may be performed over a long period of time to enable controls to be exercised over conversion of data, training of staff who will be using the changed software, support to be provided to users of the changed system, reduction of the risk associated with changing all nodes at the same time and all out if wrong. Controls must ensure that all nodes are eventually updated.
Raisa Ahmed says
CISA 3.10 discusses maintenance practices and the change management process. Maintaining a system is as important as its development. Since technology advancements are announced almost every week, maintenance is necessary so that the system stays up-to-date. A formal process is started for performing and recording changes. A documented change management form must be submitted for all requested changes. The change request must be submitted by end users, operational staff and system development/maintenance staff. All change management forms must be submitted in compliance with the change management process so that enough time is available for authorized personnel to review the request and make the decision to approve or deny the request. The records associated with each requested change should exist manually or automatically.
Imran Jordan Kharabsheh says
Hello,
After reading through your thoughts and conceptual take-aways of the CISA textbook 3.10 module, it became apparent that you developed a thorough understanding of how compliancy is meant to be kept while going through the phases of the change management process. Going into vivid detail while explaining the compliant method of going through the phases significantly benefited my understanding of what is to be expected in regards to enforcing procedure and properly documenting changes made to the system. I can also appreciate your inclusion of storing and securing said documentation, as it can help significantly mitigate the damages of a critical system error.
Yuchong Wang says
Chapter 3.10 focuses on change management process overview. As I have learned through ITACS program, change of management if not careful, can cause a good amount of chaos because you do not want to authorize the wrong person or documented the wrong thing. And documenting is exactly one section the chapter is talking about.
To ensure the effective utilization and future maintenance of a system, it is important that all relevant system documentation be updated. Procedures should be in place to ensure that documentation stored offsite for disaster recovery purposes is also updated.
Yuan Liu says
Unauthorized access could also occur if a user attempts to access an area of a system they should not be accessing. When attempting to access that area, they would be denied access and possibly see an unauthorized access message. Some system administrators set up alerts to let them know when there is an unauthorized access attempt, so that they may investigate the reason. These alerts can help stop hackers from gaining access to a secure or confidential system. Many secure systems may also lock an account that has had too many failed login attempts.
Xinye Yang says
This chapter ensure that us understand and can provide assurance that the management practices for development. testing ,implementation, maintenance and disposal of system and infrastructure will meet the organization’s objectives.
The project manager needs to determine:The various tasks that need to be performed to produce the expected business application system, the sequence or the order in which these tasks need to be performed
Yuchong Wang says
Hello Xinye,
It is true that quality assurance is important in an information system so the company could achieve its objective. A project manager needs to document and plan things accordingly to minimize cost and failures. System documentation needs to be updated frequently.
Deepa Kuppuswamy says
Under the CISA chapter 3.10 “Information System Maintenance Practices”, I found the Emergency Changes topic particularly very interesting. Emergency changes are those changes which requires immediate restoration of services due to an incident or a change that needs to be implemented quickly in order to avoid one. IS auditor need to pay particular attention that emergency changes are handled in an appropriate and transparent manner because emergency changes involves the use of special logon IDs and Firefighter ID’s that grants temporary access to the production environment.
The number of Emergency Changes should be kept to an absolute minimum, with every Emergency Change being reevaluated after implementation to determine whether it was actually an Emergency Change, and if not, how to prevent such changes from being processed as Emergency Changes in the future.
Feng Gao says
Emergency Change exists only to address the needs of the organization when normal Change Management can’t be followed, generally due to time constraints and risks involved. There is no magic wand that will solve all of the specifics, and each organization should find the solution that fits best into their own operational model; prompt and efficient handling of all changes will serve to minimize the impact of change-related incidents on service quality.
Deepa Kuppuswamy says
Hi Feng,
I agree to your point that Emergency changes are not like magic wands but it is extremely important to understand the criticality of the emergency changes because when an emergency access is granted, the user will get a complete control over the production environment so the emergency change should be closely monitored by the business owners.
Sarah Puffen says
I see your point- every organization will be different when it comes to how they manage changes. I kind of see the fact that emergency change exists as being a risk itself, since the user is given a substantial amount of privilege in order to implement any changes. Also, I find that typically when something is done in haste, there is a greater potential for error. So, while an emergency change can help mitigate a risk, there is also the possibility of something falling through the cracks since that change might affect another part of the business process.
Zhu Li says
The five phases of a project constitute the project management life cycle. In project management, there are five phases: initiating, planning, executing, controlling and closing. Throughout these project phases there is a need to constantly monitor and report, which is where project management tools come in.
Initiation is the five phases of a project constitute the project management life cycle.
Planning will start how to manage the project so it can achieve its goals within budget and on time. It includes what resources are needed, financing and materials.
Execution is time to start the project. Follow the plan the created, assign the tasks to team members and manage and monitor their progress with project management tools.
Monitor and control to ensure that the project plan is being actualized, all aspects of the project must be monitored and adjusted as needed.
Close is the last phase of the project is closing it out. This involves another set of processes which is scope and administration. Make sure the project deliverables have been completed as planned. Close out all outstanding contracts and administrative matters, archive the paperwork and disseminate to proper parties.
Ryu Takatsuki says
Hi Zhu Li, I think you are right. The planning phase is also where you expedite your team on board, as a rule with a venture kickoff meeting. It is imperative to have everything sketched out and clarified with the goal that colleagues can rapidly get the chance to work in the following stage. Also, it is important to identify the project timeline, including the phases of the project, the tasks to be performed, and possible constraints for the planning phase,
Ryu Takatsuki says
I think change management is an important topic for IT auditors. The Change Management process is intended to help control the existence cycle of a key, strategic, and operational changes to IT benefits through institutionalized strategies. The objective of Change Management is to control chance and limit disturbance to related IT administrations and business tasks. This would help the organization to mitigate the risks. One point that I took away is about Testing Changed Programs. The testing would require to ensure existing functionality is not damaged by the change, system performance is not degraded because of the change, and no security exposure have been created because of the change.
Penghui Ai says
Hi Ryu,
Great comments. I agree with you that the concept of change management is an important takeaway from this chapter. In this CISA Chapter 3.10, the “change management process” with regards to a focus on the maintenance side of the SDLC.
Yuan Liu says
It shows the need for systems and infrastructure life cycle management. For an IS auditor to provide assurance that an enterprise’s objectives are being met by the management practices of its systems and infrastructure, it is important to understand how an organization evaluates, develops, implements, maintains and disposes of its IT systems and related components. CISA candidates should have a sound understanding of the following items, not only within the context of the present chapter, but also to correctly address questions in related subject areas.
Yuqing Tang says
In the CISA Chapter 3.10, it mentions the importance of configuration management in the information systems maintenance phase. Configuration management performs a series of measures to control and regulate software products and their development process and life cycle through technical or administrative means. The goal of configuration management is to document the evolution of software products to ensure that software developers are accurately configured at all stages of the software lifecycle. Good configuration management can make software development process more predictable and software system more repeatable. Because the configuration management process directly connects the product development process, the developer, and the final product, which are the focus of the project manager, the configuration management system also plays an important role in software project management.
Alexander Reichart-Anderson says
Chapter 3.10 of the CISA Manual touches upon the “change management process” with regards to a focus on the maintenance side of the SDLC. The maintenance step of the SDLC occurs after implementation and is there to ensure the usability and effectiveness of the Information System, application, or product after the initial release. If a bug pops up in the software of if the system crashes, continual maintenance is needed to ensure that the bug is fixed and that the system is operational. The critical point to preventing too much maintenance and ensuring the overall usability of the system lies with the change management process. AS a good IS auditor implements a sufficient Change management plan, the effectiveness of the system and its overall processes will be increased and the bug and unexpected alerts should be mitigated.
Mei X Wang says
In Chapter 3.10, it focuses on change management during the maintenance phase and the similarities it has with the whole SDLC. Maintenance is as important as development because with the completion of each iteration, a new change will pop up so the system can stay up to date. The process starts with the submission of a change request, and then these request forms are approved or denied. The module focsuses on the critical documentation needed for each request and to ensure compliance with the system with the approved request.
Panayiotis Laskaridis says
Hello Mei,
I agree, The maintenance process never seems to end as long as the application is in use. I also agree with you that maintenance is as important as development.
Panayiotis Laskaridis says
Chapter 3.10 focuses on change management. It adds the significance of proper change documentation. With each new stage of development, there is a new possibility for maintenance. There has to be documentation for each proposal of change. This could include a change in design, a patch, a new feature, etc… Maintenance truly never ends. Testing can never truly be 100% so you can never truly know 100% of possible issues that might arise. Because of this, you can never truly be at rest when it comes to maintenance.
Raisa Ahmed says
Agreed, Panayiotis. Due to the rapid growth of technology and new technology being introduced all the time, maintenance of an information system becomes imperative. This is because the systems need to stay up-to-date to support the business, as well as, stay in compliance with government laws and regulations. Therefore, change management is a never-ending process. Requested and applied changes must be documented to avoid disruption.
Raisa Ahmed says
Agreed, Panayiotis. Due to the rapid growth of technology and new technology being introduced all the time, maintenance of an information system becomes imperative. This is because the systems need to stay up-to-date to support the business, as well as, stay in compliance with government laws and regulations. Therefore, change management is a never-ending process. Requested and applied changes must be documented to avoid disruption.
Raisa Ahmed says
Disregard.
Sarah Puffen says
Emergency changes are sometimes necessary to resolve a current issue within a system in order to prevent a possible system/application failure. We can understand the importance of having the ability to make these expedited changes, however, IS auditors should pay a little more mind to this area to ensure that these changes were appropriate for the system. Moreover, auditors should review whether this change was an emergency change or not, and how often the event of emergency change occurs within an organization’s information system. While we shouldn’t assume that every person has malicious intent, auditors should keep a certain level of skepticism regarding procedures like emergency change, since it grants access directly to the production environment and could potentially be damaging to the company.
Shuyue Ding says
Hi, Sarah
I cannot agree more that auditors should focus more on determine whether the emergency is necessary or not, and the company’s IT environment would be unstable if there were a relatively larger number of emergency changes. IT auditors would find out the root causes, and it could be poor policy design or unauthorized changes.
Deepa Kuppuswamy says
Sarah, Thanks for discussing about the importance of skeptism. Information security auditors are required to exercise the attitude of professional skeptism which requires a questioning mind and a critical assessment of audit evidence through out the audit process. The auditor neither assumes that management is dishonest nor assumes unquestioned honesty. In exercising professional skepticism, the auditor should not be satisfied with less than persuasive evidence because of a belief that management is honest.
Read more about importance of Professional Skeptism form PCAOB site: https://pcaobus.org/Standards/Auditing/Pages/AS1015.aspx
Penghui Ai says
CISA Chapter 3.10 introduces “information systems maintenance practices.” System maintenance practices refer primarily to the process of managing change to application systems while maintaining the integrity of both the production hardware and application source and executable code. In this section, the most important context is to understand the document of change request and know how to use it. This document has 6 sections, which are contents, usage guidance, general RFC data, the scope of change, approval/rejection, and postimplementation review. It is a formal document in either case, so the IS auditor should determine before the update whether procedures exist to ensure possession of the change request form.