|
Booklet:
Development
and Acquisition Section: Maintenance Subsection: Routine Modifications |
|||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||
Routine
modifications involve making changes to application or operating system
software to improve performance, correct problems, or enhance security.
Routine modifications can be simple or complex, but are not of the magnitude
of major modifications and can be implemented in the normal course of
business.
Routine change standards should include change request, review, and approval
procedures and require management to plan, test, and document all changes
prior to implementation. Well defined implementation plans, which often
include automated deployment tools, are especially important for large
organizations that must implement changes over numerous or widely dispersed
networks. Change standards should also address communication procedures
to ensure management quickly notifies affected parties of all changes.
Organizations should coordinate software modifications and patches through
a centralized change management process. Centralized oversight is necessary
due to the interdependence of technology systems and operations. Large
institutions should consider using specialized change control committees
to coordinate activities. Smaller institutions can often use technology
steering committees to effectively manage the process. Oversight committees
help clarify request requirements and help ensure all departments are
aware of pending changes. The committees should include sufficient representation
from business, technology, security, quality assurance, and audit departments
to ensure changes support business objectives and do not adversely affect
operations or security.
Management should review all proposed changes to ensure modifications
are appropriate for the system involved. Additionally, management should
ensure modified programs are compared to change authorization documents
to determine that only approved changes were implemented. The absence
of sound controls and accurate documentation can cause problems when management
installs subsequent systems. Standard change request forms, library and
version controls, and spreadsheets or automated change logs facilitate
management’s ability to track, report, and analyze changes. Comprehensive
change logs are a prerequisite to all change control processes.
Change request forms should provide an accurate chronological record and
description of all changes. The forms should provide sufficient information
for affected parties to understand the impact of a change and include:
|
|
Request date; |
|
|
Requestor’s name; |
|
|
Description of change; |
|
|
Reasons for implementing or rejecting a change; |
|
|
Justification for change; |
|
|
Approval signature(s); and |
|
|
Change control number. |
If a change request is approved, the request form should be submitted to the appropriate technology department. The organization should develop additional documentation during the change process that includes:
|
|
Priority information; |
|
|
Identification of affected systems, databases, and departments; |
|
|
Name of individual responsible for making the change; |
|
|
Resource requirements; |
|
|
Projected costs; |
|
|
Projected completion date; |
|
|
Projected implementation date; |
|
|
Potential security and reliability considerations; |
|
|
Testing requirements; |
|
|
Implementation procedures; |
|
|
Estimated downtime for implementation; |
|
|
Backup/Back-out procedures; |
|
|
Documentation updates (program designs and scripts, network topologies, user manuals, contingency plans, etc.); |
|
|
Change acceptance documentation from all applicable departments (user, technology, quality assurance, security, audit, etc.); and |
|
|
Post-implementation audit documentation (comparison of expectations and results). |
After program modifications are completed, all program codes (source code, object code, patch code, load module, etc.) should be secured. Securing the codes provides some assurance that the programs cataloged to production environments are unaltered versions of the approved and tested programs. Management should establish program approval standards that include procedures for verifying test results, inspecting modified code, and confirming source and object codes match.