Change Management Programs
Change management is a systematic approach that manages all changes made to a product or system, ensuring that methods and procedures are used to handle these changes efficiently and effectively.
- helps minimize risks
- typical changes:
- software deployments
- system updates
- software patching
- hardware replacements or upgrades
- changes to system configurations
- new product implementations
- new software integrations
- changes to support environments
- allows all changes to be tracked, assessed, approved, and reviewed
- Each change must include:
- documentation
- the reasons for the change
- any potential impacts
- a rollback plan
- Each change must be subject to risk assessment
- to identify potential security impacts
- stakeholders must approve changes before implementation
- ensure accountability and changes align with business priorities
- changes must be reviewed and audited
- to ensure they have been completed correctly and achieved stated outcome
- begins with request for change (RFC)
- outlines the proposed change, including its purpose, scope, and potential impact
- reviewed by a designated change manager or committee
- undergoes a formal approval process
Change Management Concepts
| Concept | Description |
|---|---|
| Impact Analysis | This is the process of identifying and assessing the potential implications of a proposed change, including how the change will impact individual users, business processes, or interconnected systems. |
| Test Results | Before implementation, changes must first be evaluated in a test environment to ensure they work as intended and do not cause issues. Test results provide valuable insight into the likelihood of success and help identify potential issues without impacting business operations. |
| Backout Plans | A backout plan is a contingency plan for reversing changes and returning systems and software to their original state if the implementation plan fails. A well-defined backout plan helps to minimize downtime and reduces the risk of data loss or other severe impacts. |
| Maintenance Windows | A maintenance window is a predefined, recurring time frame for implementing changes. They are typically scheduled during periods of low activity to minimize business disruptions. |
| Standard Operating Procedures (SOPs) | These are detailed, written instructions that describe how to carry out routine operations or changes. In change management, SOPs ensure that changes are implemented consistently and effectively. They are generally developed during testing phases and provide detailed steps for employees tasked with implementing a change to help reduce errors. |
Allowed and Blocked Changes
In change management, an allow list describes a list of approved software, hardware, and specific change types (such as routine or low-risk changes) that are not required to go through the entire change management process.
- may include specific individuals with change management approval authority
- must be updated via regular reviews
- reduce the time and effort required for trusted or preauthorized changes
A block list includes explicitly blocked software, hardware, and specific change types.
- may include:
- software and hardware with known security or compatibility issues
- high-risk or high-impact changes that must go through the full change management process
- individuals who are not authorized to implement or approve changes
- help prevent unauthorized or risky changes
- can serve as a security measure to clearly identify off-limits change types
Restarts, Dependencies, and Downtime
- One of the primary goals of change management
- minimize disruptions by scheduling restarts or downtime events during maintenance windows or off-peak times
- reduces the impact on users and business processes
- A careful analysis of software and system dependencies is critical
- avoid unintended outages by:
- Understanding what services depend on each other
- how restarts impact them
- what measures need to be taken to mitigate potential impacts
- impact the time needed for a change
- backout plans may need to consider dependencies as part of the process
- avoid unintended outages by:
IT changes that generally require service or application restarts and result in downtime:
| Change Type | Description |
|---|---|
| Software Upgrades and Patches | When upgrading software applications, especially major version updates or patches, a restart of the application is typically needed to apply the changes effectively and ensure the updated version is fully functional. |
| Configuration Changes | Many system configuration changes, such as modifying server settings, network configurations, or database parameters, require a restart of the affected services to apply the changed configurations properly. |
| Infrastructure Changes | When changing infrastructure components, such as switches, routers, firewalls, and load balancers, it is typically necessary to restart the devices to apply the changes and ensure they do not negatively impact operations. |
| Security Changes | Implementing specific security measures, such as updating encryption protocols, enabling or disabling security features, or modifying access control settings, may require a restart of the services or applications to enforce the new security configurations effectively. |