Monday, April 16, 2012

Controlling Unauthorized Changes

I have frequently come across a question – “How can we control unauthorized changes?” Some of the most common response that I have come across are:
  • Discovery tool can help in identification of the change of state, which if not approved would mean the change is unauthorized. This is reactive; in reaction to a change that has already been implemented. It can help us in identifying the unauthorized changes that has already been implemented, in case that change of state is being monitored. But if that change fails, the impact to the business would have already happened.

  • We need to embed process culture to ensure that everyone follows the defined processes and policies. Again a reactive approach if one is aware that unauthorized change has taken place. May be it can help in minimizing the probability when implemented with a severe penalty clause whereby it would be a deterrent for an individual to go against the defined process or policy. But there is a saying “Thief is not a thief till one is caught stealing”. Same applies to unauthorized changes. Many organizations realizes that unauthorized change has taken place only when that change fails and impacts the business.
  • Many have voiced the combination of the above two to eventually ensure that unauthorized changes are not implemented.
Then, what can be a pro-active way whereby change management can ensure that an unauthorized change does not take place?

To answer the above question, IT Security Management process has to be tightly integrated with Change Management. As part of the IT security process and policy definition, a security policy has to defined whereby ‘write’ access to the production environment can be granted to the concerned stakeholders, including the ‘administrators’ only when a change is approved and the concerned stakeholder is responsible for the change.

The defined security policy would be implemented by Access Management. Granting and revoking access can be automated by linking the approved change, implementer ID and change schedule with the access control application.
This process would ensure that no one has the access to the environment unless the same is approved by change management, which would be an approved change request. Thereby, proactively making certain that only approved changes are implemented to greater degree of accuracy (an approved stakeholder can still make some change which is not approved in the environment one has access to for implementing an approved change but such instances would be extremely rare)


  1. Six Sigma Certification is another certification that, bit by bit, rises to fame.

    This course is very important since business is what runs within an organization. Thanks a lot for sharing!

    Six Sigma

  2. Thanks for sharing the nice information regarding the controlling unauthorized changes.
    IT consulting Texas

  3. I am so grateful for your blog article.Really looking forward to read more.

    ShoreTel Dealer
    Crestron Dealer

  4. Hi ! This is my first visit to your blog! Your blog provided us beneficial information to work

    Business consultant

  5. Thanks for the information.
    Here's my views on process consulting:

    I would appreciate your comments.

  6. I've really learned a lot from this. Thanks for sharing this information!.

    business process improvement best practices