Documentation procedures are not required for configuration and change management processes.

Change Management

The change management process was discussed in depth previously in this chapter. This process is designed to ensure that security is not adversely affected as systems are introduced, changed, and updated. Change Management includes tracking and documenting all planned changes, formal approval for substantial changes, and documentation of the results of the completed change. All changes must be auditable.

The change control board manages this process. The BCP team should be a member of the change control board, and attend all meetings. The goal of the BCP team’s involvement on the change control board is to identify any changes that must be addressed by the BCP/DRP plan.

Change management

The change management process is discussed in depth in Chapter 8, Domain 7: Operations Security. This process is designed to ensure that security is not adversely affected as systems are introduced, changed, and updated. Change management includes tracking and documenting all planned changes, formal approval for substantial changes, and documentation of the results of the completed change. All changes must be auditable.

The change control board manages this process. The BCP team should be a member of the change control board and attend all meetings. The goal of the BCP team's involvement on the change control board is to identify any changes that must be addressed by the BCP/DRP plan.

Approach Considerations

There are many change management processes available to review and use. All contain basically the same components and are effective when used appropriately. Key to EIM is to adopt an approach that:

Focuses on resistance and motivation

Offers some initial metrics for consideration

Offers sample tools for additional assessments or facilitation of stakeholders and sponsors.

Stakeholder analysis should be done with selected EIM leadership and representatives from HR. The results must be confidential. After all, you will be identifying people in terms of their historical resistance to change, or delving into a review of human dynamics.

Communications and training plans are not lists of required PowerPoint slides. The various stakeholders will require different communication and training. Remember—education, training, and orientation are three concepts of the same thing. All serve the same goal—to keep the organization from reverting back.

Determining resistance is crucial. Like the stakeholder analysis, you will be sitting around a table talking about people. There are several means to classify resistance, and from an EIM view, you will need to classify between those that will be directly resistant, those that will be passive, and those who won’t care. Direct resistance is, of course, the most controversial. However, there will need to be incentives for all types of resistance. An important principle of change management is to be able to answer the “What’s in it for me?” (WIIFM) for all stakeholders.

At this point in the EIM program effort, resistance will be obvious. Most of the EIM team will be passionate as to the importance and value of EIM. Most business sponsors will be supportive, but will want to see some results in the near future. Most likely, a few business sponsors will begin to “hedge” a little if the political capital required begins to appear to be too much to invest, as this step will reveal the investment they need to make. Whatever happens, be calm. The initial reaction among the team will be “How can anyone possibly see this isn’t a great program? Make them change or fire them!” However, resistance and hesitancy is normal. Take heart in the fact you have anticipated this and are planning the means to manage it.

Those of us doing EIM over many years are used to resistance in all forms, and there are few surprises. However, as someone who may be new, please bear this in mind: There will be resistance in the form of direct confrontation. Remember, many of the behaviors that IAM deems risky (e.g., departmental databases with mission critical data) are viewed as necessary and acceptable. Resistance management needs to start out as defining incentives, education on the benefits, and rationale for doing EIM, and in general a positive approach. Keep negative responses as a tool, but deploy them last.

There is a strong business case for formal efforts around change management. Table 26.8 shows some simple guidelines for justifying sustaining activities that are change management. IF you are having a problem getting change management incorporated into EIM, use this as an anchor to your pitch for change management.

Table 26.8. Justification for a Sustaining Program (Change Management)

The metrics for sustaining EIM take a variety of forms. Some were identified in Part 1. The categories for your measurement requirements are:

Measure the success of EIM

Metrics to indicate improvement in organization value due to EIM

Metrics that report on the progress of utilization of data governance and EIM policies

Metric measuring the effectiveness of change management programs and the rate of change adoption.

Approach Considerations

There are many change management processes available. All contain basically the same elements and all are effective when deployed properly. Adopt an approach that:

Focuses on engagement and managing resistance

Follows best practices and provides some metrics for consideration

Offers sample tools for planning, assessment, and support of stakeholders and sponsors

The right sponsor for data governance is an essential OCM “best practice” that must be addressed early on.1 Without a sponsor who has the political capital and backbone to drive the required changes, your chances of success are slim. Also, in most organizations IT does not have the credibility to sponsor something like DG. Go after a business executive and keep pushing until you get the right one.

Stakeholder analysis should be done considering all those who are impacted, to what degree, and what their likely reaction(s) will be. It will be important to understand how people will react so you can develop methods or approaches to address their resistance or engage their support.

Open, honest, and frequent communication is absolutely critical, and it is not through a list of required PowerPoint slides. Various stakeholder groups will require different and differing levels of communication and opportunities to provide feedback. Communication must be two-way. Only if you know what people are thinking or how they are reacting will you be able to “course correct” your plans and address the issues.

Managing resistance is essential. It is out there and cannot be ignored or it will undermine all your efforts, guaranteed. There will be varying levels of resistance, from openly hostile to passive. The important thing is to understand why people are resisting and to try to address it. Answering “What's in it for me?” (WIIFM) is an important OCM principle. It helps people connect to what is happening and move through their resistance to support.

If you have been doing this for a while, you have become accustomed to resistance in all of its forms. However, as someone who may be new, please bear this in mind: Many of the behaviors that DG deems risky (e.g., departmental databases with mission-critical spreadsheets copied to USB drives, etc.) are viewed as necessary and acceptable. Keep a positive outlook, identify available incentives, and provide education on the benefits and rationale for doing DG. Engage people in the process as much as possible. Keep negative responses as a tool, but deploy them only after trying the positive.

Approach considerations

There are many change management processes available to use (Prosci, Kotter, Bridges, etc.). All contain basically the same elements, and all are effective when deployed properly. Using an accepted, published process also allows you to insert these activities into your approach to DG sooner. Very often some of the OCM activities start in Strategy. When you get to the Implementation point in your effort, the requirements for sustaining the program become evident. Your sustaining requirements should be in a context that:

Focuses on engagement and managing resistance

Follows best practices and provides metrics for consideration

Offers sample tools for planning, assessment, and support of stakeholders and sponsors

Remember most approaches to change management are based on the Plan, Do, Act model.

Planning—assessing the need for change and developing the approach and detailed plan to manage change. Planning needs to be finalized as early as possible, so while the checklist activities are reviewed here, the sooner you can do them the better.

Doing—executing the OCM plan to help people transition from the “old” state of work to the new. Doing change means rolling out the plan. Executing communications and training events for example. Aligning leadership and analyzing stakeholders.

Act or Sustaining—implementing the mechanisms and structures to ensure there is no reversion back to old ways! It is easy to confuse DO and ACT. On-going communication and training is certainly a part of change management. But you also need to monitor the actual changed activities and look for effectiveness of new behaviors.

Picking the right sponsor for DG (i.e., from the business) is essential. Per the Prosci Best Practices surveys since 2003, the right sponsor has been the number one success factor for any change effort. That person has the influence and political capital to make things happen; get him or her engaged very early on. The right sponsor is an essential OCM “best practice” and must be addressed early on. Without a good sponsor your chances of success are slim. Also, in most organizations IT usually does not have the credibility to sponsor something like DG. Go after a business executive and keep pushing until you get the right one.

Other items to consider when determine the OCM requirements are:

Are there any other assessments you can use? Many organizations do frequent employee surveys.

Did your change capacity assessment provide enough insight? If not, leadership alignment and stakeholder analysis can be used to beef up your discovery. Some steps you might need to take are:

How do you need to staff OCM? Visible efforts, like RREC case study, will require some change agents and other resources. Low profile efforts may be ok with only the existing stakeholders. Larger efforts will need to treat obtaining a sponsor in the same way as hiring someone—qualifications and experience.

Stakeholder analysis should be done considering all those who are impacted, to what degree, and what their likely reaction(s) will be. It will be important to understand how people will react so you can develop methods or approaches to address their resistance or engage their support.

Make sure you spend adequate time on communications requirements. Open, honest, and frequent communication is absolutely critical—and it is not a list of required PowerPoint slides. Various stakeholder groups will require different and differing levels of communication, and the opportunity to provide feedback. Communication must be two-way. Only if you know what people are thinking or how they are reacting will you be able to “course correct” your plans and address the issues.

What kind of resistance will there be? Proactively identify specific types of resistance (overt, passive, etc.) and identify the required activity to deal with it. Planning to manage resistance is essential. It is out there and cannot be ignored or it will undermine all your efforts—guaranteed. There will be varying levels of resistance, from openly hostile to passive (Fig. 10.7).

The important thing is to understand why people are resisting and to try to address it. Considerable change requirements can result from understanding what types of resistance you will encounter (Fig. 10.8).

Answering “What’s in it for me?” (WIIFM) is an important OCM principle. It helps people connect to what is happening and move through their resistance to support. Determining WIIFM is a key requirement.

If you have been doing this for a while, you become accustomed to resistance in all its forms. However, as someone who may be new, please bear this in mind: many of the behaviors that DG deems risky (e.g., departmental databases with mission-critical spreadsheets copied to USB drives, etc.), are viewed as necessary and acceptable. Keep a positive outlook; identify available incentives and provide education on the benefits and rationale for doing DG. Engage people in the process as much as possible. Keep negative responses as a tool but deploy them only after trying the positive.

The DG team can benefit greatly from the help of an organizational development specialist if one is available. They can define the sustaining requirements and the change management plan. Many HR organizations have a unit of these professionals to help with change efforts. Make use of them if you have such a group in your organization.

Phase 6: Change Process Evaluation

After the change is implemented, the entire change management process from receipt of RFCs through implementation must be evaluated. This is done by conducting personnel interviews and reviewing documentation. The main objective is to evaluate the effectiveness of the change process. Unsuccessfully implemented changes should also be evaluated so that problems can be identified and corrected before additional changes are initiated.

Figure 10.2 illustrates the change management process, with the personnel responsible for each stage of the process. The process moves from left to right starting with the submission of an RFC, which is then assessed by the change manager as to technical feasibility, service impact, security risks, and cost benefit. The change manager may pass the RFC back to the requestor for additional explanation or information. In some cases the change manager may deny the change. If the change manager determines that it is an urgent change it is sent through an urgent change process, otherwise it is sent to the IT executive committee for approval. If the executive committee approves the change request, it is sent to a change advisory board/committee for scheduling. The change advisory board/committee then passes the change request to those who will be responsible for actually implementing the change.

Change Management

Everything in the datacenter should be covered by a change management process, which prevents any change without correct authorization and approved. This should apply to both hardware and software to ensure that there is a smooth operation of the datacenter. A change made in one area could inadvertently affect other areas. For instance, upgrading firmware in a router may be done without realizing that some application relies on a specific firmware version. Likewise, any updates to an operating system may be required by policy but must still be put through change management, since some applications may require specific builds.

The change management process should have access to the CMDB to both verify and assess change requests and to update the CMDB after a change is completed. In this manner, changes that are made to the cloud are recorded and can be reviewed in the future for any number of reasons—including debugging.

Configuration Management and Change Control

It is a best practice to implement a configuration and change management process that can:

govern proposed changes,

identify possible security consequences, and

provide assurance that the current operational system is correct in version and configuration.

The relationship between configuration management and security control procedures is an often-neglected one in commercial implementations of Internet-facing systems. Evidence of this periodically appears in the form of older and vulnerable configurations making their way back into production even months after they have been patched or upgraded. How does this happen?

•

The root cause is typically a process failure in configuration management (CM) or change control (CC). The nature of such process failures too often has a great deal to do with a desire to push a new release into production. Without disciplined change and configuration processes, security controls are subject to the introduction of vulnerabilities or the erosion of necessary controls. This is critical to security during the operational phases of the life cycle. One excellent recognition of this is found in NIST SP 800-64, Security Considerations in the Information System Development Life Cycle, which states: “Changes to the hardware, software, or firmware of a system can have a significant impact on the security of the system…changes should be documented, and their potential impact on security should be assessed regularly.”6

If CM or CC processes are to truly support the operation and security of systems, then:

CM and CC must be well defined and provide a structured method for effecting both technical and administrative changes. When these processes are effective, they provide organizational controls—with input from appropriate stakeholders.

CM and CC must provide assurances that the IT resources in operation are correct in their version and configuration.

Planning for CM should take place as the system itself is planned or designed. When a system moves into operation or maintenance, CM and CC activities become operational controls around the overall security of the system.

CM and CC are essential to controlling and managing an accurate inventory of components and changes.

All that is fine, but systems are simply too large and too complex for purely manual processes in CM and CC to support ongoing security evaluation of the various changes that an operational system is subject to. What this leads to is the need for automation in configuration and deployment—and a coupling between such operational automation and CM and CC processes.

7.4.3.4.2 Requestor

A Requestor is a person who owns a change in the Change Management Process, and whose responsibilities may include:

attending CAB meetings, as required, to support a submitted change;

consulting all teams involved in, or affected by, a change and have agreed to the proposed approach, including resource demands, and have confirmed this in writing or e-mail;

fully testing a change;

leading the change process for a particular RfC from inception to completion;

leading the implementation of a change;

performing an initial evaluation of a change covering risk assessment and impact analysis;

sufficient and accurate documentation is produced to successfully implement a change;

testing implementation and back-out plans.

Note 1

The Requestor may originate from a business stream or the IT Department.

Note 2

The information needed for an RfC may change between different types of change, but the standard requirements for an RfC are given in Appendix 17.