Jump to content
Main menu
Main menu
move to sidebar
hide
Navigation
Main page
Recent changes
Random page
Help about MediaWiki
Special pages
Niidae Wiki
Search
Search
Appearance
Create account
Log in
Personal tools
Create account
Log in
Pages for logged out editors
learn more
Contributions
Talk
Editing
Information security
(section)
Page
Discussion
English
Read
Edit
View history
Tools
Tools
move to sidebar
hide
Actions
Read
Edit
View history
General
What links here
Related changes
Page information
Appearance
move to sidebar
hide
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
== Process == U.S. [[Federal Sentencing Guidelines]] now make it possible to hold corporate officers liable for failing to exercise due care and due diligence in the management of their information systems.<ref name="VallabhaneniCorporate08">{{cite book |url=https://books.google.com/books?id=BvYbQr9MV_sC&pg=PA288 |title=Corporate Management, Governance, and Ethics Best Practices |author=Vallabhaneni, S.R. |publisher=John Wiley & Sons |page=288 |year=2008 |isbn=9780470255803}}</ref> In the field of information security, Harris<ref>{{cite book|author=Shon Harris|author-link=Shon Harris|title=All-in-one CISSP Certification Exam Guide|edition=2nd|publisher=[[McGraw-Hill]]/Osborne|year=2003|location=[[Emeryville, California]]|isbn=978-0-07-222966-0}}</ref> offers the following definitions of due care and due diligence: <blockquote>''"Due care are steps that are taken to show that a company has taken responsibility for the activities that take place within the corporation and has taken the necessary steps to help protect the company, its resources, and employees''<ref>{{Cite journal|last=Boncardo|first=Robert|date=2018-09-20|title=Jean-Claude Milner's MallarmΓ©: Nothing Has Taken Place|url=http://dx.doi.org/10.3366/edinburgh/9781474429528.003.0005|journal=Edinburgh University Press|volume=1|doi=10.3366/edinburgh/9781474429528.003.0005|s2cid=172045429}}</ref>''."'' And, <nowiki>[Due diligence are the]</nowiki> ''"continual activities that make sure the protection mechanisms are continually maintained and operational."''<ref>{{Citation|title=The Importance of Operational Due Diligence|date=2015-10-16|url=http://dx.doi.org/10.1002/9781119197485.ch2|work=Hedge Fund Operational Due Diligence|pages=49β67|place=Hoboken, NJ, US|publisher=John Wiley & Sons, Inc.|doi=10.1002/9781119197485.ch2|isbn=978-1-119-19748-5|access-date=2021-06-05}}</ref> </blockquote> Attention should be made to two important points in these definitions.<ref>{{Cite journal|last=Hall|first=Gaylord C.|date=March 1917|title=Some Important Diagnostic Points the General {{sic|Pract|ioner|nolink=y}} Should Know About the Nose |journal=Southern Medical Journal|volume=10|issue=3|pages=211 |doi=10.1097/00007611-191703000-00007 |doi-broken-date=January 29, 2025 |url=https://sma.org/southern-medical-journal/article/some-important-diagnostic-points-the-general-practioner-should-know-about-the-nose/ |issn=0038-4348}}</ref><ref>{{Cite book|first=J.|last=Renes|title=Landschappen van Maas en Peel: een toegepast historisch-geografisch onderzoek in het streekplangebied Noord- en Midden-Limburg.|date=1999|publisher=Eisma |isbn=90-74252-84-2|oclc=782897414}}</ref> First, in due care, steps are taken to show; this means that the steps can be verified, measured, or even produce tangible artifacts.<ref>{{Cite journal|last=Thomas|first=Brook|date=2017-06-22|title=Minding Previous Steps Taken|url=http://dx.doi.org/10.1093/acprof:oso/9780190456368.003.0002|journal=Oxford Scholarship Online |doi=10.1093/acprof:oso/9780190456368.003.0002|isbn=978-0-19-045639-9}}</ref><ref>{{Cite book|last=Lundgren|first=Regina E. |title=Risk communication : a handbook for communicating environmental, safety, and health risks|year=2018|publisher=Wiley |isbn=978-1-119-45613-1|oclc=1043389392}}</ref> Second, in due diligence, there are continual activities; this means that people are actually doing things to monitor and maintain the protection mechanisms, and these activities are ongoing.<ref>{{Citation|last=Jensen|first=Eric Talbot|title=Due Diligence in Cyber Activities|date=2020-12-03|url=http://dx.doi.org/10.1093/oso/9780198869900.003.0015|work=Due Diligence in the International Legal Order|pages=252β270|publisher=Oxford University Press |doi=10.1093/oso/9780198869900.003.0015|isbn=978-0-19-886990-0|access-date=2021-06-05}}</ref> Organizations have a responsibility with practicing duty of care when applying information security. The Duty of Care Risk Analysis Standard (DoCRA)<ref>{{cite web|url=https://docra.org/|title=The Duty of Care Risk Analysis Standard|website=DoCRA|access-date=2018-08-15|archive-url=https://web.archive.org/web/20180814170112/https://docra.org/|archive-date=2018-08-14|url-status=dead}}</ref> provides principles and practices for evaluating risk.<ref>{{Citation|last1=Sutton|first1=Adam|title=Evaluating crime prevention|url=http://dx.doi.org/10.1017/cbo9780511804601.006|work=Crime Prevention|pages=70β90|place=Cambridge|publisher=Cambridge University Press|isbn=978-0-511-80460-1|access-date=2021-06-05|last2=Cherney|first2=Adrian|last3=White|first3=Rob|year=2008|doi=10.1017/cbo9780511804601.006}}</ref> It considers all parties that could be affected by those risks.<ref>{{Cite journal|last=Check|first=Erika|date=2004-09-15|title=FDA considers antidepressant risks for kids|url=http://dx.doi.org/10.1038/news040913-15|journal=Nature|doi=10.1038/news040913-15|issn=0028-0836}}</ref> DoCRA helps evaluate safeguards if they are appropriate in protecting others from harm while presenting a reasonable burden.<ref>{{Cite journal|last=Auckland|first=Cressida|date=2017-08-16|title=Protecting me from my Directive: Ensuring Appropriate Safeguards for Advance Directives in Dementia|url=http://dx.doi.org/10.1093/medlaw/fwx037|journal=Medical Law Review|volume=26|issue=1|pages=73β97|doi=10.1093/medlaw/fwx037|pmid=28981694|issn=0967-0742}}</ref> With increased data breach litigation, companies must balance security controls, compliance, and its mission.<ref>{{Citation|last=Takach|first=George S.|title=Preparing for Breach Litigation|date=2016|url=http://dx.doi.org/10.1016/b978-0-12-803451-4.00009-5|work=Data Breach Preparation and Response|pages=217β230|publisher=Elsevier|doi=10.1016/b978-0-12-803451-4.00009-5|isbn=978-0-12-803451-4|access-date=2021-06-05}}</ref> === Incident response plans === {{Main|Computer security incident management}} Computer security incident management is a specialized form of incident management focused on monitoring, detecting, and responding to security events on computers and networks in a predictable way.<ref>{{cite web | title =ISO 17799{{!}}ISO/IEC 17799:2005(E) | work =Information technology - Security techniques - Code of practice for information security management | publisher =ISO copyright office | date =2005-06-15 | pages = 90β94 | url = http://www.iso.org }}</ref> Organizations implement this through incident response plans (IRPs) that are activated when security breaches are detected.<ref>{{Citation|last=Fowler|first=Kevvie|title=Developing a Computer Security Incident Response Plan|date=2016|url=http://dx.doi.org/10.1016/b978-0-12-803451-4.00003-4|work=Data Breach Preparation and Response|pages=49β77|publisher=Elsevier|doi=10.1016/b978-0-12-803451-4.00003-4|isbn=978-0-12-803451-4}}</ref> These plans typically involve an incident response team (IRT) with specialized skills in areas like penetration testing, computer forensics, and network security.<ref>{{Citation|last=Johnson|first=Leighton R.|title=Part 1. Incident Response Team|date=2014|url=http://dx.doi.org/10.1016/b978-1-59749-996-5.00038-8|work=Computer Incident Response and Forensics Team Management|pages=17β19|publisher=Elsevier|doi=10.1016/b978-1-59749-996-5.00038-8|isbn=978-1-59749-996-5|access-date=2021-06-05}}</ref> === Change management === {{Main|Change management (ITSM)}} Change management is a formal process for directing and controlling alterations to the information processing environment.<ref>{{Cite journal|last=Kampfner|first=Roberto R.|date=1985|title=Formal specification of information systems requirements |url=http://dx.doi.org/10.1016/0306-4573(85)90086-x|journal=Information Processing & Management|volume=21|issue=5|pages=401β414 |doi=10.1016/0306-4573(85)90086-x|issn=0306-4573}}</ref><ref>{{Cite book|last=Jenner|first=H.A.|title=Assessment of ecotoxicological risks of element leaching from pulverized coal ashes|date=1995|publisher=s.n.]|oclc=905474381}}</ref> This includes alterations to desktop computers, the network, servers, and software.<ref>{{Cite book|chapter=Desktop Computers: Software |chapter-url=http://dx.doi.org/10.1007/0-387-28058-8_3|title=Practical Pathology Informatics|year=2006|pages=51β82|place=New York |publisher=Springer-Verlag|doi=10.1007/0-387-28058-8_3|isbn=0-387-28057-X|access-date=2021-06-05}}</ref> The objectives of change management are to reduce the risks posed by changes to the information processing environment and improve the stability and reliability of the processing environment as changes are made.<ref>{{Cite journal|last1=Wilby|first1=R.L.|last2=Orr|first2=H.G. |last3=Hedger|first3=M.|last4=Forrow|first4=D.|last5=Blackmore|first5=M.|date=December 2006|title=Risks posed by climate change to the delivery of Water Framework Directive objectives in the UK|url=http://dx.doi.org/10.1016/j.envint.2006.06.017 |journal=Environment International|volume=32|issue=8|pages=1043β1055|doi=10.1016/j.envint.2006.06.017|pmid=16857260|bibcode=2006EnInt..32.1043W |issn=0160-4120}}</ref> It is not the objective of change management to prevent or hinder necessary changes from being implemented.<ref name="CampbellPractical16">{{cite book |chapter-url=https://books.google.com/books?id=sbWiDQAAQBAJ&pg=PA218 |chapter=Chapter 14: Secure Systems Development |title=Practical Information Security Management: A Complete Guide to Planning and Implementation |author=Campbell, T. |publisher=Apress |year=2016 |page=218 |isbn=9781484216859}}</ref><ref>{{Cite book|last=Koppelman|first=Kent L.|title=Understanding human differences : multicultural education for a diverse America|date=2011|publisher=Pearson/Allyn & Bacon |oclc=1245910610}}</ref> Any change to the information processing environment introduces an element of risk.<ref>{{Cite book|chapter=Post-processing|date=2013-04-12|chapter-url=http://dx.doi.org/10.4324/9780240821351-9|title=Simple Scene, Sensational Shot|pages=128β147|publisher=Routledge |doi=10.4324/9780240821351-9|isbn=978-0-240-82135-1|access-date=2021-06-05}}</ref> Even apparently simple changes can have unexpected effects.<ref>{{Cite journal|last1=Kumar|first1=Binay|last2=Mahto|first2=Tulsi|last3=Kumari|first3=Vinita|last4=Ravi |first4=Binod Kumar|last5=Deepmala|date=2016|title=Quackery: How It Can Prove Fatal Even in Apparently Simple Cases-A Case Report |url=http://dx.doi.org/10.5958/0974-1283.2016.00063.3|journal=Medico-Legal Update|volume=16|issue=2|pages=75|doi=10.5958/0974-1283.2016.00063.3|issn=0971-720X}}</ref> One of management's many responsibilities is the management of risk.<ref>{{Cite journal |last=Priest|first=Sally|date=2019-02-22|title=Shared roles and responsibilities in flood risk management |url=http://dx.doi.org/10.1111/jfr3.12528|journal=Journal of Flood Risk Management|volume=12|issue=1|pages=e12528 |doi=10.1111/jfr3.12528|bibcode=2019JFRM...12E2528P |s2cid=133789858|issn=1753-318X}}</ref><ref>{{Cite book|author=United States. Department of Energy. Office of Inspector General. Office of Scientific and Technical Information|title=Audit Report, "Fire Protection Deficiencies at Los Alamos National Laboratory."|date=2009|publisher=United States. Dept. of Energy|oclc=727225166}}</ref> Change management is a tool for managing the risks introduced by changes to the information processing environment.<ref>{{Cite journal|last=Toms|first=Elaine G.|date=January 1992|title=Managing change in libraries and information services; A systems approach |url=http://dx.doi.org/10.1016/0306-4573(92)90052-2|journal=Information Processing & Management|volume=28|issue=2|pages=281β282 |doi=10.1016/0306-4573(92)90052-2|issn=0306-4573}}</ref> Part of the change management process ensures that changes are not implemented at inopportune times when they may disrupt critical business processes or interfere with other changes being implemented.<ref>{{Cite book|last=Abolhassan|first=Ferri|chapter=The Change Management Process Implemented at IDS Scheer|date=2003 |chapter-url=http://dx.doi.org/10.1007/978-3-540-24703-6_2|title=Business Process Change Management|pages=15β22|place=Berlin, Heidelberg |publisher=Springer Berlin Heidelberg|doi=10.1007/978-3-540-24703-6_2|isbn=978-3-642-05532-4|access-date=2021-06-05}}</ref> Not every change needs to be managed.<ref>{{Cite book|last=Dawson|first=Chris|date=2020-07-01|title=Leading Culture Change |url=http://dx.doi.org/10.1515/9780804774673|doi=10.1515/9780804774673|isbn=9780804774673|s2cid=242348822}}</ref><ref>{{Cite book |author=McCormick, Douglas P.|title=Family Inc. : using business principles to maximize your family's wealth|date=22 March 2016 |publisher=John Wiley & Sons |isbn=978-1-119-21976-7|oclc=945632737}}</ref> Some kinds of changes are a part of the everyday routine of information processing and adhere to a predefined procedure, which reduces the overall level of risk to the processing environment.<ref>{{Cite journal |last=Schuler|first=Rainer|date=August 1995|title=Some properties of sets tractable under every polynomial-time computable distribution|url=http://dx.doi.org/10.1016/0020-0190(95)00108-o|journal=Information Processing Letters|volume=55|issue=4|pages=179β184|doi=10.1016/0020-0190(95)00108-o|issn=0020-0190}}</ref> Creating a new user account or deploying a new desktop computer are examples of changes that do not generally require change management.<ref>{{Cite web|title=Figure 12.2. Share of own-account workers who generally do not have more than one client|url=http://dx.doi.org/10.1787/888933881610|access-date=2021-06-05 |doi=10.1787/888933881610|format=Excel}}</ref> However, relocating user file shares, or upgrading the Email server pose a much higher level of risk to the processing environment and are not a normal everyday activity.<ref>{{Cite journal |date=June 1987|title=Multi-user file server for DOS LANs|url=http://dx.doi.org/10.1016/0140-3664(87)90353-7|journal=Computer Communications|volume=10|issue=3|pages=153|doi=10.1016/0140-3664(87)90353-7|issn=0140-3664}}</ref> The critical first steps in change management are (a) defining change (and communicating that definition) and (b) defining the scope of the change system.<ref>{{Citation|title=Defining Organizational Change|date=2011-04-19|url=http://dx.doi.org/10.1002/9781444340372.ch1|work=Organizational Change|pages=21β51|place=Oxford, UK|publisher=Wiley-Blackwell|doi=10.1002/9781444340372.ch1|isbn=978-1-4443-4037-2|access-date=2021-06-05}}</ref> Change management is usually overseen by a change review board composed of representatives from key business areas,<ref>{{Citation|last1=Kirchmer|first1=Mathias|title=Change Management β Key for Business Process Excellence|date=2003|url=http://dx.doi.org/10.1007/978-3-540-24703-6_1|work=Business Process Change Management|pages=1β14|place=Berlin, Heidelberg|publisher=Springer Berlin Heidelberg|isbn=978-3-642-05532-4|access-date=2021-06-05|last2=Scheer|first2=August-Wilhelm|doi=10.1007/978-3-540-24703-6_1}}</ref> security, networking, systems administrators, database administration, application developers, desktop support, and the help desk.<ref>{{Citation|last1=More|first1=Josh|title=Tier 2βAdvanced Help DeskβHelp Desk Supervisor|date=2016|url=http://dx.doi.org/10.1016/b978-0-12-800783-9.00029-x|work=Breaking Into Information Security|pages=111β113|publisher=Elsevier|isbn=978-0-12-800783-9|access-date=2021-06-05|last2=Stieber|first2=Anthony J.|last3=Liu|first3=Chris|doi=10.1016/b978-0-12-800783-9.00029-x}}</ref> The tasks of the change review board can be facilitated with the use of automated work flow application.<ref>{{Citation|title=An Application of Bayesian Networks in Automated Scoring of Computerized Simulation Tasks|date=2006-04-04|url=http://dx.doi.org/10.4324/9780415963572-10|work=Automated Scoring of Complex Tasks in Computer-Based Testing|pages=212β264|publisher=Routledge|doi=10.4324/9780415963572-10|isbn=978-0-415-96357-2|access-date=2021-06-05}}</ref> The responsibility of the change review board is to ensure the organization's documented change management procedures are followed.<ref>{{Cite journal|last=Kavanagh|first=Michael J.|date=June 1994|title=Change, Change, Change|url=http://dx.doi.org/10.1177/1059601194192001|journal=Group & Organization Management|volume=19|issue=2|pages=139β140|doi=10.1177/1059601194192001|s2cid=144169263|issn=1059-6011}}</ref> The change management process is as follows<ref name="TaylorProject08">{{cite book |chapter=Chapter 10: Understanding the Project Change Process |title=Project Scheduling and Cost Control: Planning, Monitoring and Controlling the Baseline |author=Taylor, J. |publisher=J. Ross Publishing |year=2008 |pages=187β214 |isbn=9781932159110}}</ref> * '''Request''': Anyone can request a change.<ref>{{Citation|title=17. Innovation and Change: Can Anyone Do This?|date=2017-12-31 |url=http://dx.doi.org/10.1515/9780824860936-019|work=Backstage in a Bureaucracy|pages=87β96|publisher=University of Hawaii Press |doi=10.1515/9780824860936-019|isbn=978-0-8248-6093-6|access-date=2021-06-05}}</ref><ref>{{Cite book|last=Braun|first=Adam |title=Promise of a pencil : how an ordinary person can create extraordinary change|date=3 February 2015|publisher=Simon and Schuster |isbn=978-1-4767-3063-9|oclc=902912775}}</ref> The person making the change request may or may not be the same person that performs the analysis or implements the change.<ref>{{Citation|title=Describing Within-Person Change Over Time|date=2015-01-30 |url=http://dx.doi.org/10.4324/9781315744094-14|work=Longitudinal Analysis|pages=235β306 |publisher=Routledge |doi=10.4324/9781315744094-14|isbn=978-1-315-74409-4|access-date=2021-06-05}}</ref><ref>{{Cite book |first1=Carolyn|last1=Ingraham |first2=Patricia W.|last2=Ban|title=Legislating bureaucratic change : the Civil Service Reform Act of 1978|date=1984 |publisher=State University of New York Press|isbn=0-87395-886-1|oclc=10300171}}</ref> When a request for change is received, it may undergo a preliminary review to determine if the requested change is compatible with the organizations [[business model]] and practices, and to determine the amount of resources needed to implement the change.<ref>{{Cite journal|last=Wei|first=J. |date=2000-05-04|title=Preliminary Change Request for the SNS 1.3 GeV-Compatible Ring|doi=10.2172/1157253|osti=1157253 |url=https://www.osti.gov/biblio/1157253/|access-date=18 January 2022 |website=OSTI.GOV}}</ref> * '''Approve''': Management runs the business and controls the allocation of resources therefore, management must approve requests for changes and assign a priority for every change.<ref>{{Cite book|last=Chen Liang|title=2011 International Conference on Business Management and Electronic Information |chapter=Allocation priority management of agricultural water resources based on the theory of virtual water |date=May 2011|chapter-url=http://dx.doi.org/10.1109/icbmei.2011.5917018|volume=1|pages=644β647|publisher=IEEE|doi=10.1109/icbmei.2011.5917018|isbn=978-1-61284-108-3|s2cid=29137725}}</ref> Management might choose to reject a change request if the change is not compatible with the business model, industry standards or best practices.<ref>{{Citation|title=Change risks and best practices in Business Change Management Unmanaged change risk leads to problems for change management|date=2013-07-18 |work=Leading and Implementing Business Change Management|pages=32β74|publisher=Routledge|doi=10.4324/9780203073957 |url=https://www.taylorfrancis.com/chapters/mono/10.4324/9780203073957-2/change-risks-best-practices-business-change-management-david-jones-ronald-recardo |isbn=978-0-203-07395-7 |last1=Jones |first1=David J. |last2=Recardo |first2=Ronald J. }}</ref><ref>{{Cite book|last=Bragg|first=Steven M.|title=Accounting Best Practices|date=2016|publisher=Wiley|isbn=978-1-118-41780-5|oclc=946625204}}</ref> Management might also choose to reject a change request if the change requires more resources than can be allocated for the change.<ref>{{Cite journal|date=2008-10-17|title=Successful change requires more than change management |url=http://dx.doi.org/10.1108/hrmid.2008.04416gad.005|journal=Human Resource Management International Digest|volume=16|issue=7 |doi=10.1108/hrmid.2008.04416gad.005|issn=0967-0734}}</ref> * '''Plan''': Planning a change involves discovering the scope and impact of the proposed change; analyzing the complexity of the change; allocation of resources and, developing, testing, and documenting both implementation and back-out plans.<ref>{{Citation|title=Planning for water resources under climate change|date=2010-09-13|url=http://dx.doi.org/10.4324/9780203846537-20|work=Spatial Planning and Climate Change|pages=287β313|publisher=Routledge|doi=10.4324/9780203846537-20|isbn=978-0-203-84653-7|access-date=2021-06-05}}</ref> Need to define the criteria on which a decision to back out will be made.<ref>{{Cite journal|last=Rowan|first=John|date=January 1967|title=Answering the computer back|url=http://dx.doi.org/10.1108/eb000776|journal=Management Decision|volume=1|issue=1|pages=51β54|doi=10.1108/eb000776|issn=0025-1747}}</ref> * '''Test''': Every change must be tested in a safe test environment, which closely reflects the actual production environment, before the change is applied to the production environment.<ref>{{Cite journal|last1=Biswas|first1=Margaret R.|last2=Biswas|first2=Asit K.|date=February 1981|title=Climatic change and food production|url=http://dx.doi.org/10.1016/0304-1131(81)90050-3|journal=Agriculture and Environment|volume=5|issue=4|pages=332|doi=10.1016/0304-1131(81)90050-3|issn=0304-1131}}</ref> The backout plan must also be tested.<ref>{{Citation|chapter=backout|doi=10.1007/1-4020-0613-6_1259 |title=Computer Science and Communications Dictionary |date=2000 |last1=Weik |first1=Martin H. |page=96 |isbn=978-0-7923-8425-0 }}</ref> * '''Schedule''': Part of the change review board's responsibility is to assist in the scheduling of changes by reviewing the proposed implementation date for potential conflicts with other scheduled changes or critical business activities.<ref>{{Citation|title=Editorial Advisory and Review Board|date=2011-12-06|url=http://dx.doi.org/10.1108/s2043-9059(2011)0000003005|work=Business and Sustainability: Concepts, Strategies and Changes|series=Critical Studies on Corporate Responsibility, Governance and Sustainability|volume=3|pages=xvβxvii|publisher=Emerald Group Publishing Limited|doi=10.1108/s2043-9059(2011)0000003005|isbn=978-1-78052-438-2|access-date=2021-06-05}}</ref> * '''Communicate''': Once a change has been scheduled it must be communicated.<ref>{{Citation|title=Where a Mirage Has Once Been, Life Must Be|url=http://dx.doi.org/10.2307/j.ctv6sj8d1.65|work=New and Selected Poems|year=2014|pages=103|publisher=University of South Carolina Press|doi=10.2307/j.ctv6sj8d1.65|isbn=978-1-61117-323-9|access-date=2021-06-05}}</ref> The communication is to give others the opportunity to remind the change review board about other changes or critical business activities that might have been overlooked when scheduling the change.<ref>{{cite journal |last1=Bell |first1=Marvin |title=Two, When There Might Have Been Three |journal=The Antioch Review |date=1983 |volume=41 |issue=2 |pages=209 |doi=10.2307/4611230 |jstor=4611230 }}</ref> The communication also serves to make the help desk and users aware that a change is about to occur.<ref>{{Cite journal|title=We can also make change|url=http://dx.doi.org/10.1163/2210-7975_hrd-0148-2015175|access-date=2021-06-05|website=Human Rights Documents Online|doi=10.1163/2210-7975_hrd-0148-2015175}}</ref> Another responsibility of the change review board is to ensure that scheduled changes have been properly communicated to those who will be affected by the change or otherwise have an interest in the change.<ref>{{cite SSRN|last1=Mazikana |first1=Anthony Tapiwa |title='Change Is the Law of Life. and Those Who Look only to the past or Present Are Certain to Miss the Future- John F. Kennedy' Assessing This Statement with References to Organizations in Zimbabwe Who Have Been Affected by Change. |date=5 November 2020<!--|doi=10.2139/ssrn.3725707|s2cid=238964905 -->|ssrn=3725707 }}</ref><ref>{{Cite book|editor-last=Ramanadham|editor-first=V. V.|title=Privatisation in the UK|isbn=978-0-429-19973-8|oclc=1085890184}}</ref> * '''Implement''': At the appointed date and time, the changes must be implemented.<ref>{{Cite journal|date=2020-09-22|title=More complex/realistic rheology must be implemented; Numerical convergence tests must be performed|doi=10.5194/gmd-2020-107-rc2|s2cid=241597573 |doi-access=free |journal= Geoloscientific Model Development Discussions}}</ref><ref>{{Cite book |author=Stone, Edward|title=Edward C. Stone Collection|oclc=733102101}}</ref> Part of the planning process was to develop an implementation plan, testing plan and, a back out plan.<ref>{{Cite book|last=Lientz|first=B|chapter=Develop Your Improvement Implementation Plan|date=2002|chapter-url=http://dx.doi.org/10.1016/b978-0-12-449984-3.50011-8|title=Achieve Lasting Process Improvement |pages=151β171|publisher=Elsevier|doi=10.1016/b978-0-12-449984-3.50011-8|isbn=978-0-12-449984-3|access-date=2021-06-05}}</ref><ref>{{Cite book|last=Smeets|first=Peter|title=Expeditie agroparken : ontwerpend onderzoek naar metropolitane landbouw en duurzame ontwikkeling|date=2009|publisher=s.n.]|isbn=978-90-8585-515-6 |oclc=441821141}}</ref> If the implementation of the change should fail or, the post implementation testing fails or, other "drop dead" criteria have been met, the back out plan should be implemented.<ref>{{Cite web|title=Figure 1.3. About 50 percent of the Going for Growth recommendations have been implemented or are in process of implementation |url=http://dx.doi.org/10.1787/888933323735|access-date=2021-06-05|doi=10.1787/888933323735}}</ref> * '''Document''': All changes must be documented.<ref>{{Citation|last=Kekes|first=John|title=Must Justice Be Done at All Costs?|date=2019-02-21|url=http://dx.doi.org/10.1093/oso/9780190919986.003.0005|work=Hard Questions|pages=98β126|publisher=Oxford University Press|doi=10.1093/oso/9780190919986.003.0005|isbn=978-0-19-091998-6|access-date=2021-06-05}}</ref><ref>{{Cite book |last=Forrester|first=Kellie|title=Macroeconomic implications of changes in the composition of the labor force|year=2014|publisher=University of California, Santa Barbara |isbn=978-1-321-34938-2|oclc=974418780}}</ref> The documentation includes the initial request for change, its approval, the priority assigned to it, the implementation,<ref>{{Cite journal|last1=Choudhury|first1=Gagan L.|last2=Rappaport|first2=Stephen S.|date=October 1981 |title=Demand assigned multiple access systems using collision type request channels|url=http://dx.doi.org/10.1145/1013879.802667 |journal=ACM SIGCOMM Computer Communication Review|volume=11|issue=4|pages=136β148|doi=10.1145/1013879.802667|issn=0146-4833}}</ref> testing and back out plans, the results of the change review board critique, the date/time the change was implemented,<ref>{{Cite journal|last=Crinson|first=Mark|date=2013|title="Certain Old and Lovely Things, Whose Signified Is Abstract, Out of Date": James Stirling and Nostalgia|url=http://dx.doi.org/10.1353/cot.2013.0000|journal=Change over Time|volume=3|issue=1|pages=116β135|doi=10.1353/cot.2013.0000|s2cid=144451363 |issn=2153-0548}}</ref> who implemented it, and whether the change was implemented successfully, failed or postponed.<ref>{{Cite book|last1=Ahwidy|first1=Mansour|last2=Pemberton|first2=Lyn|title=Proceedings of the International Conference on Information and Communication Technologies for Ageing Well and e-Health |chapter=What Changes Need to be Made within the LNHS for Ehealth Systems to be Successfully Implemented? |date=2016|chapter-url=http://dx.doi.org/10.5220/0005620400710079|pages=71β79|publisher=Scitepress|doi=10.5220/0005620400710079|isbn=978-989-758-180-9}}</ref><ref>{{Cite book|last=Mortimer|first=John|title=Paradise postponed|date=April 2010|publisher=Penguin Adult |isbn=978-0-14-104952-6 |oclc=495596392}}</ref> * '''Post-change review''': The change review board should hold a post-implementation review of changes.<ref name="Soriani">{{cite journal | doi=10.1038/s41577-021-00544-9 | title=Concerns about SARS-CoV-2 evolution should not hold back efforts to expand vaccination | year=2021 | last1=Cobey | first1=Sarah | last2=Larremore | first2=Daniel B. | last3=Grad | first3=Yonatan H. | last4=Lipsitch | first4=Marc | journal=Nature Reviews Immunology | volume=21 | issue=5 | pages=330β335 | pmid=33795856 | pmc=8014893 }}</ref> It is particularly important to review failed and backed out changes. The review board should try to understand the problems that were encountered, and look for areas for improvement.<ref name="Soriani"/> Change management procedures that are simple to follow and easy to use can greatly reduce the overall risks created when changes are made to the information processing environment.<ref>{{Citation|last=Frampton|first=Michael|title=Processing Data with Map Reduce|date=2014-12-26|url=http://dx.doi.org/10.1007/978-1-4842-0094-0_4|work=Big Data Made Easy|pages=85β120|place=Berkeley, CA|publisher=Apress|doi=10.1007/978-1-4842-0094-0_4|isbn=978-1-4842-0095-7|access-date=2021-06-05}}</ref> Good change management procedures improve the overall quality and success of changes as they are implemented.<ref>{{Cite journal|date=2016-02-23|title=Good study overall, but several procedures need fixing|url=https://hess.copernicus.org/preprints/hess-2015-520/hess-2015-520-RC2.pdf|doi=10.5194/hess-2015-520-rc2|access-date=18 January 2022 |doi-access=free|journal= Hydrology and Earth System Sciences Discussions}}</ref> This is accomplished through planning, peer review, documentation, and communication.<ref>{{cite web|url=https://apps.dtic.mil/sti/citations/ADA313949 |id={{DTIC|ADA313949}} |last1=Harrison |first1=Kent |last2=Craft |first2=Walter M. |last3=Hiller |first3=Jack |last4=McCluskey |first4=Michael R.|author5=BDM Federal Inc Seaside CA |date=July 1996 |title=Peer Review Coordinating Draft. Task Analysis for Conduct Intelligence Planning (Critical Combat Function 1): As Accomplished by a Battalion Task Force }}</ref> [[ISO/IEC 20000]], The Visible OPS Handbook: Implementing ITIL in 4 Practical and Auditable Steps<ref>[http://www.itpi.org/home/visibleops2.php itpi.org] {{webarchive |url=https://web.archive.org/web/20131210081531/http://www.itpi.org/home/visibleops2.php |date=December 10, 2013 }}</ref> (Full book summary),<ref>{{cite web|url=http://www.wikisummaries.org/wiki/Visible_Ops |title=book summary of The Visible Ops Handbook: Implementing ITIL in 4 Practical and Auditable Steps |publisher=wikisummaries.org |access-date=2016-06-22}}</ref> and [[ITIL]] all provide valuable guidance on implementing an efficient and effective change management program information security.<ref>{{Citation|last=Bigelow|first=Michelle|title=Change Control and Change Management|date=2020-09-23|url=http://dx.doi.org/10.4324/9781003126294-17|work=Implementing Information Security in Healthcare|pages=203β214|publisher=HIMSS Publishing|doi=10.4324/9781003126294-17|isbn=978-1-003-12629-4|s2cid=224866307|access-date=2021-06-05}}</ref>
Summary:
Please note that all contributions to Niidae Wiki may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
Encyclopedia:Copyrights
for details).
Do not submit copyrighted work without permission!
Cancel
Editing help
(opens in new window)
Search
Search
Editing
Information security
(section)
Add topic
