Information Technology (IT) change management is a structured process for reviewing proposed IT system or service changes. This process occurs prior to implementing the requested change on an organization’s network, thus minimizing or eliminating network outages.
IT change management is necessary to ensure any changes to the network will not degrade the performance of the network. Any changes to the network should be a defined, purposeful action to eliminate a found vulnerability, upgrade a component on the network for improved performance, or replace a currently obsolete or faulty network component.
What Are the Types of IT Changes?
IT system or service changes are categorized into three types, according to Atlassian.
Standard changes are routine, and follow a pre-established process regarding risk analysis and pre-approvals. These changes are vetted processes that have been pre-approved for execution. Examples of standard changes include the following:
- Upgrading RAM or hard drive size
- Replacing a failing network device
- Making a new database instance
Normal changes do not have a pre-established process. A risk analysis and deployment plan must be submitted for approval prior to implementing these changes on the IT network. Examples of normal changes include the following:
- Upgrading to a new compliance management system
- Upgrading network devices for improved performance
- Relocating a server farm
Emergency changes are when an unplanned outage has occurred, or is likely to occur, due to a discovered vulnerability that possesses a significant threat to the network. Examples of emergency changes are the following:
- Installing a security patch
- A network device outage
- Recovering from a major incident (i.e. fiber strand cut)
How Does Change Management Help a Business?
Every successful modern business relies on its IT network. An IT change management process ensures any applied changes to the network are successful, allowing a business to continue normal operations after the IT change request is implemented. All changes to the network are considered essential to maintain operational performance.
Here are some additional benefits to having an IT change management process in place:
- IT network changes are implemented more quickly.
- There is a historical record of all IT infrastructure changes.
- You have the ability to rollback to an original state prior to any IT network change.
- You are communicating proposed IT changes to all stakeholders in the organization.
Documented policies and procedures help organizations follow a repeatable process for all IT essential changes. Having a repeatable process helps an organization utilize the same risk assessments, tests, and approvals for all applicable IT changes.
What Is a Change Advisory Board?
A Change Advisory Board (CAB) consists of members from an organization that are authorized to review and assess the risks for all IT change requests. A CAB can reject an IT change request if it’s lacking information crucial to the submitted change request, or if all the risk factors are not properly addressed.
The CAB requires the following information to do a rigorous risk assessment:
- A description of the IT Change request to be released
- The test results from user acceptance testing
- The test sign-off that applicable systems or systems integration is successful and completed
- The deployment plan and the rollback plan
- A questions and answers session with project or test managers to address all CAB concerns
The CAB’s sole purpose is to ensure the integrity of the network remains intact and operational after the IT change request is sent to release management for implementation.
The CAB consists of representatives from all groups impacted by the potential changes. At a minimum, the CAB should include the following: Change Manager, Operations Manager, Information Security Officer, Senior Network Administrator, Service Desk Manager, and the Application Manager if applicable. Each member has an equal vote in the CAB process.
Do All Essential Changes Require CAB Approval?
Yes, all essential changes require a CAB review. An IT change management process is the foundation on which a robust and functioning IT network is built. Successfully implemented IT changes are foundational. Each essential IT change request addresses:
- A vulnerability to sustain network performance
- An upgrade to improve network performance
- A failed component that is replaced to restore network performance
Note that standard changes are those already documented as CAB pre-approved processes. The CAB will review all other IT change requests. However, a modification to a user desktop setting will not require a CAB review, as long as the change adheres to the organization’s best cybersecurity practices.