S 2.423 Specification of responsibilities for patch and change management

Initiation responsibility: Top Management, Head of IT

Implementation responsibility: Head of IT

When establishing patch and change management, a host of responsibilities must be defined. In doing so, it must be ensured that the responsibilities an employee disposes of regarding the patch and change process and how the coordination between the individual units must be performed are defined exactly for every field of responsibility and every organisational unit.

It sometimes happens that the employees of different units of an organisation dispose of different responsibilities regarding the implementation of changes. For example, one unit may be responsible for supporting the basic operating systems and another unit may be responsible for supporting the services installed thereon (e.g. email server, specialised application, etc.). As a consequence, different units may be responsible for patching an overall system. In such cases, the responsibilities having been defined unambiguously is particularly important.

The responsibilities assigned this way should also be reflected in the authorisation concept when configuring the tools for the distribution of patches and changes and when configuring the IT system.

A coordinated procedure is absolutely necessary for changes. No employee may perform changes without having discussed the changes with the Change Manager beforehand. All employees of IT operations must coordinate relevant changes with the Change Manager as a matter of principle. This way, it is ensured that possible changes do not impair each other or result in a system failure.

The Change Manager is the central role performing the processes of coordinating and evaluating the changes. For this, a person must be appointed within the organisation in order to effectively and efficiently perform change and patch management. The Change Manager filters, accepts, and classifies all requests for change. Furthermore he/she is responsible for the required authorisations and for planning, coordinating, and performing changes.

For an medium-sized organisations at least or organisations with complex IT infrastructures, the Change Manager should be supported by a Change Advisory Board (CAB) regarding his/her work. It has proved to be successful to also appoint one person of each specialised department as member of the CAB, along with the persons responsible for the technical implementation of patch and change tasks. The CAB is convoked at regular, defined intervals in order to evaluate changes and to support the Change Manager in assessing, prioritising, and authorising the changes. Normally, the CAB is only presented with selected serious changes. To this end, the CAB may be composed differently regarding its members. For example, the entire CAB could meet every 3 months and discuss critical requests for change.

Regarding uncritical, regular changes, the consultations may be performed directly between the Change Manager and the responsible administrators and/or the test team.

For the CAB to be able to perform its activities properly, its members must be able to evaluate the importance and effects of changes both from a business objectives and processes point of view and from a technical perspective.

Review questions:

• Has one person from each organisational unit been assigned responsible for patch and change management?
• Are the defined responsibilities regarding patch and change management also reflected in the authorisation concept?
• Has a Change Manager been appointed?
• Are all persons responsible for implementing the patch and change management process familiar with the terms of patch and change management, with information security, and with the cryptographic procedures?