IT Change Management Survey Finds Many Changes Are Undocumented

Change and configuration auditing software vendor Netwrix released a survey of 577 information technology (IT) professionals showing a potential lack of controls and documentation in IT change management processes.

Among the survey’s findings:

  • 57 percent of the organizations were making undocumented changes.
  • 62 percent of the IT departments had no real ability to audit changes.
  • 65 percent had service interruptions due to changes.
  • 17 percent of the large enterprises found that a change caused a security breach.

These are very serious findings because IT change management is such a foundational part of every IT department’s mission. Weaknesses and lack of oversight in this area can lead to system downtime, security breaches, internal and external threats and reduced operational efficiency.

The majority of organizations reported they had change management process controls in place, although this declined with the size of the organization. The lack of change management process controls was even more pronounced when measured against IT staff size. Although 38 percent stated they had systems in place to audit changes, many were relying on system log data as their change audit system. System logs contain important change-related data, but its presence is no guarantee it’s in a meaningful format.

This opens the door for the most eye-opening finding—57 percent of respondents were making continual periodic changes that were undocumented. Seven percent reported making continual periodic undocumented changes daily, 21 percent reported making them weekly and 20 percent reported making them monthly.

Many of the organizations had processes in place and/or documented known changes. Without having knowledge of all the changes that occurred, though, they had no way of measuring the effectiveness of their change management controls. This enabled IT staff to make system changes without oversight, risk assessment or documenting completed changes in case of service interruptions or security events. This was true (to a greater or lesser extent) regardless of entity or IT staff size.

Given the potential risks to organizations, IT change management (and the ability to verify the effectiveness of the process) is key to limiting the risk of security incidents and service interruptions.

The following two tabs change content below.
David Powis-Dow

David Powis-Dow

David has more than 12 years of information technology (IT) experience gained while in the retail and health care industries, including more than five years in information security. During his time in the health care field, he served as a Windows Server Administrator and Information Security Administrator and reviewed the security posture of numerous health information technology systems.

Leave a Reply

Your email address will not be published. Required fields are marked *