Controlling Unauthorized Changes

I have frequently come across a question – “How can we control unauthorized changes?” Some of the most common response that I have come across are:

• Discovery tool can help in identification of the change of state, which if not approved would mean the change is unauthorized. This is reactive; in reaction to a change that has already been implemented. It can help us in identifying the unauthorized changes that has already been implemented, in case that change of state is being monitored. But if that change fails, the impact to the business would have already happened.
  

• We need to embed process culture to ensure that everyone follows the defined processes and policies. Again a reactive approach if one is aware that unauthorized change has taken place. May be it can help in minimizing the probability when implemented with a severe penalty clause whereby it would be a deterrent for an individual to go against the defined process or policy. But there is a saying “Thief is not a thief till one is caught stealing”. Same applies to unauthorized changes. Many organizations realizes that unauthorized change has taken place only when that change fails and impacts the business.

• Many have voiced the combination of the above two to eventually ensure that unauthorized changes are not implemented.

Then, what can be a pro-active way whereby change management can ensure that an unauthorized change does not take place?

To answer the above question, IT Security Management process has to be tightly integrated with Change Management. As part of the IT security process and policy definition, a security policy has to defined whereby ‘write’ access to the production environment can be granted to the concerned stakeholders, including the ‘administrators’ only when a change is approved and the concerned stakeholder is responsible for the change.

The defined security policy would be implemented by Access Management. Granting and revoking access can be automated by linking the approved change, implementer ID and change schedule with the access control application.
This process would ensure that no one has the access to the environment unless the same is approved by change management, which would be an approved change request. Thereby, proactively making certain that only approved changes are implemented to greater degree of accuracy (an approved stakeholder can still make some change which is not approved in the environment one has access to for implementing an approved change but such instances would be extremely rare)

6 ‘I’s Of Strategic Decision Making

Strategic Decision Making is a continuous process. There are various models for strategy generation (My Strategy Generation Model). But still a question that bothers us is - "How do we formulate and decide a strategy?"

I propose the following model for Strategic Decision Making. I prefer to refer to as "6I's of Strategic Decision Making"

My 6 I's are:

1. Identification of problem: During this stage the problem for which the strategic decision has to be made is identified. he output of this stage would be the problem statement.
   
   
2. Information processing: This is the stage where data gathering is done and information is processed. Referring to my model of strategy generation, this is the Strategic Assessment stage/phase. We analyze all external and internal factors, conduct appreciative enquiry and arrive at various objectives.
   
   
3. Identification of options: The identified objectives will act as an input for identifying various options. From IT strategy perspective this would be the second phase of my strategy generation model, SITP Planning Process (rather even the 4th and 5th Is are related to it).
   Otherwise for identifying any strategic option, the objectives will be analyzed to identify the various ways or options by which it can be accomplished. The focus should be on identifying as many options that may be possible.
   
   
4. Isolating a choice: After identifying various available options, the best one needs to be identified. There are various qualitative and quantitative techniques that may be used to isolate the choice. These methods would be discussed in my next post.This would also give measurable targets for the strategy or objectives.
   
   
5. Implementation: After the choice has been identified/isolated, the implementation plan has to be formulated. Mintzberg's Plan and Pattern will act as an catalyst for formulating the Implementation plan. Thereafter, steps for implementation of the plan is performed, which would include allocation of required resources. Thus, resources and capabilities of the organization will enable in eventual implementation.
   
   
6. Improvement via feedback: This is the feedback mechanism. Whether the implementation is inline with identified measurable targets or not is determined with regular feedback, gaps and corrective actions identified and implemented. Eventually when the required target is achieved, it would mean that the strategic decision has been able to successfully resolve the IT/business strategic problem.

It should be noted that strategic decision making is a cyclic process. Also, it may be possible that a strategic decision making for a new problem has to be initiated when one for the other is already at any stage of 6I. In such a situation we can find parallel implementation of 6I.

My 6Is of decision making can easily be related to the PDCA or Deming Cycle. Also, it should be observed that the problem statement referred to in this post is more of the business or IT issue or need that is in hand for which a strategic decision has to be made.