The maintenance phase involves making changes to hardware, software, and documentation to support its operational effectiveness. It includes making changes to improve a system’s performance, correct problems, enhance security, or address user requirements. To ensure modifications do not disrupt operations or degrade a system’s performance or security, organizations should establish appropriate change management standards and procedures.
Maintenance
Phase
The maintenance phase involves making changes
to hardware, software, and documentation to support its operational
effectiveness. It includes making changes to improve a system’s performance,
correct problems, enhance security, or address user requirements. To ensure
modifications do not disrupt operations or degrade a system’s performance or
security, organizations should establish appropriate change management
standards and procedures.
Change management (sometimes referred to as
configuration management) involves establishing baseline versions of products,
services, and procedures and ensuring all changes are approved, documented, and
disseminated.
Change controls should address all aspects of
an organization’s technology environment including software programs, hardware
and software configurations, operational standards and procedures, and project
management activities. Management should establish change controls that address
major, routine, and emergency software modifications and software patches. Major
modifications involve significant changes to a system’s functionality.
Management should implement major modifications using a well-structured
process, such as an SDLC methodology.
Routine changes are not as complex as major
modifications and can usually be implemented in the normal course of business.
Routine change controls should include procedures for requesting, evaluating,
approving, testing, installing, and documenting software modifications.
Emergency changes may address an issue that
would normally be considered routine, however, because of security concerns or
processing problems, the changes must be made quickly. Emergency change
controls should include the same procedures as routine change controls.
Management should establish abbreviated request, evaluation, and approval
procedures to ensure they can implement changes quickly.
Detailed evaluations and documentation of
emergency changes should be completed as soon as possible after changes are
implemented. Management should test the routine and, quickly notify affected
parties of all changes. If management is unable to thoroughly test emergency
modifications before installation, it is critical that they appropriately
backup files and programs and have established back-out procedures in place.
Software patches are similar in complexity to
routine modifications. This document uses the term “patch” to describe program
modifications involving externally developed software packages.
However, organizations with in-house
programming may also refer to routine software modifications as patches. Patch
management programs should address procedures for evaluating, approving,
testing, installing, and documenting software modifications. However, a
critical part of the patch management process involves maintaining an awareness
of external vulnerabilities and available patches.
Maintaining accurate, up-to-date hardware and
software inventories is a critical part of all change management processes.
Management should carefully document all modifications to ensure accurate
system inventories. (If material software patches are identified but not implemented,
management should document the reason why the patch was not installed.)
Management should coordinate all technology
related changes through an oversight committee and assign an appropriate party
responsibility for administering software patch management programs.
Quality assurance, security, audit, regulatory
compliance, network, and end-user personnel should be appropriately included in
change management processes. Risk and security review should be done whenever a
system modification is implemented to ensure controls remain in place.