In virtually every industry, the success of an organization is inextricably linked to the reliability, availability and security of its Information Technology (IT). Consequently, IT management must identify and analyze the relevant risks facing its production environment and then put controls in place to prevent, detect and correct for them. Not only are these controls required for effective management, they are also good for business and fundamental to meeting regulatory compliance requirements.
Unauthorized access due to security breaches is a high-profile risk. Hackers outside the network, or more likely, employees or contractors with mean motive and opportunity, manage to bypass or defeat security defenses and make malicious changes to software files and system configurations. These unauthorized changes can have dire consequences, such as financial loss, disruptions to IT operations, and negative public perception.
Although security often gets the spotlight, the much greater risks to the organization are system reliability and availability issues. Gamer asserts that “80 percent of unplanned downtime is caused by people and process issues, including poor change management practices, while the remainder is caused by technology failure and disasters.” IDC cites similar findings that indicate that operator error is the single largest source of outages causing nearly 60 percent of overall infrastructure downtime. Many IT organizations, in the spirit of being nimble and response to their customers, are actually putting themselves at risk in the everyday process of making changes to their own systems.
If industry analysts are correct, and practical experience certainly indicates that they are, the greatest point of leverage for increasing the overall reliability, availability and security of information systems, and addressing related compliance requirements, is controlling change across the IT infrastructure.