Solved

Change control policy testing in windows environment

Posted on 2011-09-29
8
356 Views
Last Modified: 2012-05-12
What kind of things in a windows environment, i.e. users/computers/servers/AD would typically go through "change control"?

90% of our IT service is outsourced - and we dont have a documented change management policy.

However - if for example we want a new user setting up - it can be logged as a service request - but it needs approval from either our in house IT managers before it is ok'd and the 3rd party can set them up in AD. Does that constiture effective change control?

Do we need a documented policy if our call logging system enforces approval?

WHeres the risk of us not having an internal change control documented policy?

And what other areas in windows could we test to see certain activities went through change control?
0
Comment
Question by:pma111
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 9

Accepted Solution

by:
Lester_Clayton earned 300 total points
ID: 36815012
Change control is good, but it can also be a pain in the proverbial backside.  The way I like to look at change is as follows:

Change control should always be done in a situation where an action is taken that will affect more than 1 user.  Things that won't be included include:

Creating of a new user
Creating of a mailbox
Creating of a Group
Placing members in the group
Giving rights to a user
Removing rights from a user

Things that would be included include:

Distributing an application to a group
Creating a Group Policy Object
Changing Exchange policies
Installing a new server

Change control is all bout Risk management - you're trying to determine what the risk is of any given action, which is why it needs to be scrutinized by your peers and managers.  Change Control should be approved by a peer (even if that peer is lower grade to yourself), and a manager.

Change control should include testing (if possible) - implementation - Rollback Plan - signoff/confirmation

Testing: Has the change you're proposing been done before?  Has it been tested?  What was the expected results?  
Implementation: When is it going to be implemented?  Is there going to be any downtime?  Who should be notified?
Rollback Plan: If the change doesn't go through as planned, is there a rollback plan?  Has that been tested?
Signoff/Confirmation: Was the change successful?  Has there been testing done to verify the change succeeded?

Yes, you will most definitely need a documented policy.  You will need this for quality purposes, and also to be able to show people that there is a process in place which should be adhered to.  The policy should be approved by the highest ranking IT Official, that way it becomes law.

The risk of not having a policy in place could be anything from minor downtime due to a mistake made by an operator who implemented a change, to worst case scenario - accidental loss of data.  If you lose money as a result of a change which was done, and you try to claim back from Insurance, they're going to ask you who authorized the change, where your change documentation is and what your change policies are.

Governing change is very hard to do - all of your trusted colleagues are administrators, and can freely make change without consequence.  If you start implementing a consequence, like a fine, warning or dismissal for an unauthorized change.

You must also take into consideration emergencies.  Emergencies is when a senior engineer takes the decision to make a change without approval when the change was necessary and could not wait.  For example, if one of my disk drives fail, I would change it immediately without raising a change control.  If a disk became full, I would increase it without change.  These should however be logged in any event, so that the people who are responsible are aware of what happened.

Hope this helps you define some new change processes :)
0
 
LVL 3

Author Comment

by:pma111
ID: 36815096
Good post - will leave open a while longer in case anyone else has input
0
 
LVL 66

Assisted Solution

by:johnb6767
johnb6767 earned 100 total points
ID: 36816571
Excellent post above... Only 1 thing to add....

It might be worth taking a course in ITIL.

I believe it would be the V3 Foundations for the entry level course.. Gets pretty in depth. Only problem to learning, is that it needs to be implemented, and from what I have seen it is very selective which practices truly are followed....

http://en.wikipedia.org/wiki/Information_Technology_Infrastructure_Library#Change_management
0
 
LVL 3

Author Comment

by:pma111
ID: 36890498
How does approval fit in with change management.
For example you say:

Things that won't be included include:
Creating of a new user


What if a department request a new in a sensitive network - does that just get approved - or does it have to go through some approval from management/IT before its setup? Does that sort of scenario not fall under change management?
0
 
LVL 78

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 100 total points
ID: 36892186
Users are consumers of IT, we supply the tools they use them.  The new user has already been vetted by HR and the Department Head (who is ultimately responsible).  If the 'new user' has to go through corporate and then outsourced what is the cost to the company is having an unproductive employee that was hired to do a job that isn't being done.
0
 
LVL 3

Author Comment

by:pma111
ID: 36908565
So in a nutshell change control is not neccesary for setting up a new security group or a new domain user account?
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 36910366
New Security Group: yes because this has security implications


new domain user: no as this does not have security implications
0
 
LVL 9

Assisted Solution

by:Lester_Clayton
Lester_Clayton earned 300 total points
ID: 36910480
This could be debated.  In my opinion, I'd say that a new Security Group would not require a change control, but granting this security group permission to a resource might.  You really need to find the right balance between creating a process that aides your infrastructure without tipping too far into the ludicrous.

I'd suggest that you have a documented process that people should follow when it comes to installing a new printer - one that has been tried and tested, this kind of pre-approved instruction should not require a change control.  This can include configuring DHCP IP reservation, installing a tested driver into a test environment, installing it into a live environment, creating a group, linking the printer to the group and putting members in the group - all pre-approved because it's been documented.
0

Join & Write a Comment

Know what services you can and cannot, should and should not combine on your server.
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now