With additions to NERC CIP regulations coming in April, enterprise IT across the U.S. should be taking a good, hard look in the mirror and making adjustments to their processes to stay compliant.
Utilizing the most malleable IT service management suite makes a big difference - it can enhance software production by accelerating release cycles, as well as give DevOps teams a boost of confidence in the patches and updates they push, knowing they're timely and complete thanks to automated testing.
The best change management, however, is more than just tools used. Rather, it's a honing of the operation itself to remove redundancies, streamline workflow and ensure everything deployed benefits customers and the product itself. At each step of the change management process, from initiation to release, where should IT pay the most attention? Here are 4 keycomponents of change management that should carry extra attention:
1. Request for Change
When planning a potential change, change advisory boards and other relevant parties must see "the big picture" from the outset. Microsoft recommends CABs not merely focus on feasibility from a technical standpoint, but also on how implementing change could impact physical operations. Will this RFC require the company to deviate from its change management policies? Will it need additional hardware? Is staff prepared to move forward with this RFC? Hitting all these points early in the change management process prevents hang ups down the road.
2. Change Categorization
Upon approval from a change manager, the change is then assigned an identifier based on a number of factors. Each IT department should feel free to formulate a categorization strategy that fits their individual needs, but all should stay wary of a few crucial missteps.
First, categorization should adhere to a strict, straightforward system everyone follows. The nature of a given change, whether adopted or denied, should be easily identifiable. Moreover, if companies choose to have a label for changes requiring more research, there should be defined guidelines for what this categorization constitutes, lest it become a bottomless repository where nothing gets done. Lastly, the National Institute of Standards and Technology suggests always maintaining a category devoted to changes impacting security. In light of upcoming NERC CIP changes aimed at cybersecurity above all else, this seems like sound advice.
3. Release Management
Simply put, though release management may be the most vital step to the change management process. Companies that typically perform this task by hand should consider the advantages of automating it. Manually auditing and pulling the trigger on releases in a modern change management process - one that already automates so many time-intensive procedures like testing - is like pouring a ton of industrial-strength glue right before the finish line of a 100-meter dash.
4. Migrating Changes
While we've spoken in the past about how best to perform change migration, they all revolve around one unified principle: Companies should be really, really sure about the person or people they choose to carry out the task. Internal Auditor believes assigning this role to the company's change manager or someone outside the development team reduces the risk of unauthorized code entering into the picture.