University of Tirana

Faculty of
Economics
Department of Statistics and Applied
Informatics MSc in Information Security

Project
Topic: Change Management

Tirana, February 2024

Using the IBM Security Blueprint to Address Business Risks for Change
Management

Investigating business risks and mitigation

controls for change management

Introducing control processes and maturity models

using the IBM Security Blueprint

Applying product and service solutions to the

maturity mode
2
 Executive overview
In today's dynamic business environments, changes are inevitable for an organization to develop, whether as a
result of innovation or technological developments.
The IBM® Smart IT Infrastructure1 initiative is designed to take these challenges head on, making the IT
infrastructure as nimble and resilient as the organization needs it to be.

In order for companies to be competitive, they need to innovate, stay relevant to their customers and expand their
footprint into new or emerging markets. So they have to change. An organization is highly likely to suffer hazards
as it undergoes change. One of them is the reduction in availability. But, we are aware that in the modern world,
information must not only be secure but also timely. Change management enables the regulated and systematic
implementation of changes. By doing this, the possibility of errors or mistakes that can impair availability is
decreased.

In this IBM Redguide™ publication, we discuss processes and procedures for change management to help
ensure that the access and entitlements are removed in a timely fashion to mitigate risks of data theft and other
malicious activity.

In “Introducing the IBM Security Framework and IBM Security Blueprint” on page 2, we introduce the IBM
Security Framework and the IBM Security Blueprint because these are used for our change management
discussion to ensure that all important aspects are addressed. In the IBM Redbooks® publication Introducing the
IBM Security Framework and IBM Security Blueprint to Realize BusinessDriven Security, REDP-4528, we
describe the IBM Security Framework and the IBM Security Blueprint in more detail.

In ‘’Introducing change management process’’ on page 5, we discuss the 2 concept of change management and
its importance. Under this topic too, we discuss about situations that require a change management.

In “Business risks in change management” on page 6, we discuss the business risks that drive the need for
change processes , the key risks that need to be mitigated for change management, key areas where
organizations need to focus and the required measurements to prove that the risks are being mitigated.

In “Introducing control processes for change management” on page 9 , we present several control processes that
need to be in place to mitigate the change risks from using the IBM Security Blueprint.

In “Introducing a maturity model for change management controls” on page , we introduce a maturity model for
change security processes that will help organizations to assess their current level of control effectiveness and to
identify opportunities or areas for improvement.
Finally, in “IBM solutions to address maturity levels” on page , we sketch out some solutions that can help address
data and information protection management in change management.

© Copyright Eri Braho. 2024. All rights reserved.

Introducing the IBM Security Framework and IBM Security
Blueprint
Business leaders are expected to manage risk in their areas of responsibility in the same waythat CFOs manage
risks in their domains. Security risks and the potential impact on IT need to be communicated to executive peers
in business terms. Additionally, they need to align IT security controls with their business processes, monitor and
quantify IT risk in business terms, and dynamically drive business-level insight at the executive level. They need
to manage risk and orchestrate security operations in a way that enforces compliance and optimizes business
results.
IBM created a comprehensive IT security framework to describe key business security concerns, as shown in Figure 1.

Figure 1 The IBM Security Framework

The IBM Security Framework groups concerns into five key security domains, shown at the center of the diagram.
These domains are wrapped by the unifying topic of Security Governance, Risk Management, and Compliance.
While the IBM Security Framework addresses business oriented concerns, the IBM SecurityBlueprint describes a
technology-agnostic and solution-agnostic view of the security management processes and security controls that
need to be in place to address the business security concerns.

4 The top-level components of the IBM Security Blueprint are shown in Figure 2.
The Foundational Security Management services describe the top-level services that need tobe implemented in
order to achieve the required functionality addressed in the IBM Security Framework. These represent the layers
where the business requirements, as defined in the IBM Security Framework, are converted to top-level IT
services to fulfill these requirements. At this point, the threshold has been crossed from pure business related
viewpoints to actualIT systems.

The more common Security Services and Infrastructure layer contains infrastructure elements and services that
are used by the top level services in the Foundational Security Management services. These services represent
control points in the IT environment.

The Foundational Security Management services components follow Architectural Principles to manage the
common Security Services and Infrastructure using a closed-loop, risk management process, as shown in Figure
3.

To learn more details about the IBM Security Framework and the IBM Security Blueprint, please refer to the IBM
Redpapers™ publication Introducing the IBM Security Framework and IBM Security Blueprint to Realize
Business-Driven Security, REDP-4528.

The IBM Security Blueprint Redguide publications series are detailed investigations into specific types of security
controls, the business risks they address, and technology neutral discussions of how to implement these controls.
These guides are organized according to the Blueprint components to ensure all aspects of risk management are
addressed in the control.

This particular guide addresses the business risks and IT risks associated with employees, contractors, and
business partners ending their relationship with an organization, especiallywhen the circumstances may not be
congenial.

Throughout this guide, we use the term employee, but the concepts and processes described here are equally
applicable to contractors and business partners. We use the term employee as a shorthand way of referencing all
people who are ending their relationship with an organization.
Introducing change management process
According to a study by McKinsey, companies that effectively manage change are 1.8 times more likely to be
successful in their industry than those who do not. This emphasizes the importance of implementing a robust
change management process to ensure successful outcomes and remain competitive in today's fastpaced
business environment.

Figure 4 Change Management Process

Change management is the process through which modifications are submitted, reviewed, verified, and recorded
in order to lower the possibility that they would compromise system availability or lead to the development of new
vulnerabilities. Validation happens after a change has been done as well. To ascertain whether the modification
had the expected effect, the system needs to be tested. Change management approvers should carefully
evaluate the effects of changes before notifying users and other parties. To reduce the potential impact on system
availability, it is advisable to plan the modifications during routine downtimes.

Requesting, approving, validating, and reporting system changes are all part of change management. An
organization can profit greatly from this procedure. In particular, it can improve an organization's capacity for
decision-making by teaching staff to carefully consider and assess changes before they are implemented, as well
as by providing a knowledge base of previous changes and the lessons discovered from prior events.

Situations that require a change management process

1. Implementing new technology
2. Leadership or management turnover
3. Change in work culture
 4. Mergers and acquisitions
5. Current processes are not working

Change management importance

Change management is a crucial process that ensures smooth transitions in an organization. It involves managing
changes to processes, systems, and technologies in order to minimize disruption and negative impacts on
operations.

Effective change management is important because it helps organizations adapt to changes in the market,
industry, and technology. It ensures that any changes are implemented in a controlled manner and that any risks
associated with the changes are properly identified, assessed, and mitigated. This helps to minimize the negative
impacts of the changes on the organization and its stakeholders.

Change management also promotes consistency and standardization across an organization. It ensures that all
changes are documented and tracked, which allows for better visibility and control over the organization's
operations. This, in turn, helps to minimize the potential for errors, inconsistencies, and inefficiencies in processes
and systems.

Change management helps to build a culture of continuous improvement within an organization. By regularly
evaluating processes, systems, and technologies and making necessary improvements, organizations can stay
competitive and achieve greater efficiency and productivity.

In addition to these benefits, effective change management also promotes employee engagement and buy-in. By
involving employees in the change 8 management process, organizations can address any concerns or
resistance to change and ensure that employees are properly trained and prepared for any changes that are
implemented.

The importance of change management cannot be overstated. It is a critical process that helps organizations to
adapt and thrive in a constantly changing business environment. By implementing effective change management
practices, organizations can minimize disruption, promote consistency and standardization, achieve greater
efficiency and productivity, and build a culture of continuous improvement.

Business risks in change management

Changes are essential and inevitable for an organization to develop, whether as a result of innovation or
technological developments. An organization facing change can adapt to it with an effective change management
plan. This plan encapsulates all the actions the company takes to implement and adjust to a change, while
minimizing the potential for disruptions or losses. Below are some examples of large companies that have failed
to manage risk change brought:

● Kodak: In the 1990s, Kodak was a market leader in photographic film but failed to adapt to the digital age.
Kodak's management team was resistant to change, and the company ultimately filed for bankruptcy in
2012.
● Target: In 2013, Target suffered a major data breach that exposed the personal information of millions of
customers. The breach was caused by a lack of proper change management processes, including failing
to implement a security patch that could have prevented the breach.
 ● Nokia: Nokia was once a leading mobile phone manufacturer, but it struggled to keep up with the rapid
pace of innovation in the smartphone market. Nokia's failure to adapt to changing market conditions
ultimately led to a decline in market share and the sale of its mobile phone business to Microsoft.
● Volkswagen: In 2015, Volkswagen was involved in a scandal in which it was found to have used software
to cheat emissions tests. The scandal was a result of a lack of effective change management processes
and a culture that prioritized short-term gains over long-term sustainability.
● Blockbuster: Blockbuster was once a leading provider of video rentals but failed to adapt to the rise of
streaming services like Netflix. Blockbuster's management team was slow to embrace digital technology
and failed to recognize the changing preferences of consumers, ultimately leading to the company's
decline.

Key risks to consider

The key risks that need to be mitigated for change management scenarios are:
1. Negative impact on customers: Customers may suffer if change is not handled well. This could lead to a
decline in consumer satisfaction, a loss of clients, and reputational harm for the company.
2. Resistance to change: Employee resistance to change is one of the most frequent consequences of poorly
managed change. This may result in more expenses, fewer production, and delays.
3. Low employee morale: Employee motivation and morale can suffer from poorly handled change.
Employee disengagement and reduced commitment to the success of the change programme may result
from them feeling that their concerns are not being acknowledged.
4. Missed deadlines: Change efforts may not achieve goals or deadlines if they are not properly planned and
carried out. It may become more challenging to accomplish the intended results as a result of delays and a
loss of momentum.
5. Increased costs: Poorly managed change can result in increased costs due to delays, rework, and other
issues. This can lead to budget overruns and a negative impact on the organization's financial
performance.
6. Ineffective implementation: Poorly managed change can result in an ineffective implementation of the
change initiative. This can lead to a lack of desired benefits and the need for additional resources to fix or
redo the implementation.
7. Legal and regulatory risks:Neglecting to handle change effectively may lead to breaking legal and
regulatory obligations. The organisation may face penalties, legal action, and reputational harm as a result
of this.
Organisations should make investments in efficient change management procedures, such as careful planning,
stakeholder participation, and communication, to reduce these risks.

Key areas to consider

To effectively manage change and mitigate risks, organizations need to focus on the following key areas:
● Leadership and stakeholder engagement: Change management efforts must have strong leadership
support and involve key stakeholders at all levels of the organization. This helps ensure that everyone is
aligned and committed to the change initiative.
● Communication and training: Effective communication is critical for successful change management.
Organizations should communicate clearly and frequently with all stakeholders and provide training to
ensure that employees have the necessary skills and knowledge to support the change.
 ● Risk assessment and mitigation: Organizations must conduct a thorough risk assessment to identify
potential risks and develop a plan to mitigate them. This includes developing contingency plans in case of
unforeseen events and managing risks related to technology, finances, and human resources.
● Performance monitoring and evaluation: Organizations should track progress and evaluate the success of
the change initiative. This includes establishing metrics to measure success and conducting regular
evaluations to identify areas for improvement.
● Change control and project management: Organizations should have a structured change control process
in place to manage changes effectively and ensure that changes are made only after proper review and
approval. Effective project management is also essential for ensuring that the change initiative is
completed on time and within budget.

By focusing on these key areas, organizations can effectively manage change and mitigate risks

Outcome measurements for risk mitigation

Businesses can use outcome measurements like these to evaluate how well risk mitigation strategies in change
management are working.

1. Lower risk level: Following the implementation of mitigation measures, outcome measurements ought to
demonstrate a lower level of identified hazards.By comparing the risk levels before and after mitigation, this can
be quantified.

2. Improved teamwork and satisfaction: To determine whether mitigation efforts have been successful, employee
engagement and satisfaction should be assessed both before and after the change initiative is implemented.

3. Faster project delivery: If the change effort was carried out on schedule, within budget, and in compliance with
the necessary quality standards, this should also be a focus of the outcome measurements.

4.Better financial performance: The major financial metrics before and after the change initiative's execution
should be compared in order to identify changes that result in better financial performance.

5. Increased customer satisfaction: To measure the impact of changes on customers, customer satisfaction
ratings should be compared before and after the change project is put into place.

6. Compliance with legal and regulatory standards: To make sure that the change project doesn't lead to any new
risks or compliance issues, compliance with legal and regulatory requirements should be measured.

Businesses can assess the success of their risk reduction initiatives and make the required modifications to
improve their change management procedures by monitoring these results.

Introducing control processes for change management

As previously mentioned, the IBM Security Blueprint employs a methodology for security management based on
closed-loop risk assessment that is customised to particular security controls.
IBM has adapted a basic plan-do-check-act/react set of components for IT security management into this risk
management-based framework, which are as follows:

● Security Policy Management

● Control deployment and execution
● Identity management processes
● Risk and Compliance Assessment
● Command and Control Management
● Data and Information Protection Management
● Software, System, and Service Assurance
● Threat and Vulnerability Management

1. Create a change control board: To supervise the change management procedure, a change control board
(CCB) needs to be created. Changes should be reviewed and approved by the CCB, which should be composed
of representatives from several departments.

2. Create a change management policy: A change management policy that describes the steps involved in
submitting, examining, and approving changes needs to be created. Guidelines for handling changes and the
obligations of the CCB and other stakeholders should also be included in the policy.

3. Develop a change management plan: A change management plan should be developed that outlines the steps
for implementing changes. The plan should include details on how changes will be communicated, how
employees will be trained, and how risks will be mitigated.

4. Track and document change requests: To guarantee that they are appropriately examined and authorised, all
change requests need to be tracked and documented. Spreadsheets or change management systems can be
used for this.

5. Test changes before implementing them: To make sure that changes are operating as anticipated and do not
result in any unforeseen problems, changes should be carefully tested before being implemented.

6. Track and assess changes: In order to ascertain whether a change is producing the intended results, it is
important to track and assess it. This involves monitoring.
 Security Policy Management

A security policy is a set of rules and guidelines that an organization implements to protect its assets,
including information and data, from unauthorized access or theft. An essential component of change
management is security policy management, which guarantees that any modifications made to an
organization's systems or procedures comply with its security rules.

Organisations should first create a thorough security strategy that outlines the norms and regulations for
safeguarding assets from theft or unauthorised access in order to manage security policies efficiently. In
order to take into account modifications to the organization's systems, procedures, or working
environment, this policy should be reviewed and updated on a regular basis.

Once a security policy is in place, organizations should implement a security policy management
process that ensures all changes to the organization's systems or processes are reviewed for
compliance with the established security policy. This process typically involves a review board or
committee that evaluates proposed changes to determine their potential impact on security and
compliance with the established security policy.

Identification and mitigation of security risks related to proposed changes should also be part of the
security policy management process. For instance, the security policy management process must require
that new user accounts be created with the proper access controls and permissions whenever a change
calls for the creation of new user accounts. This will help to guarantee that the accounts do not present a
security risk.

Companies should also make sure that all staff members participating in the change management
procedure are trained on the security policy of the company and their responsibility for upholding it. Best
procedures for safeguarding private information, spotting security threats, and handling security crises
should all be covered in this training.

An illustration of a security policy management system that may be created utilising the IBM framework to
understand change management is shown here:
1. Determine the needs for security policies: Finding the security policy requirements for the
change effort is the task of this step. This involves determining any legal or compliance
standards that must be fulfilled. The organization's overall security goals and objectives should
be in line with the security policies.
2. Create security guidelines: Create security policies outlining the standards and processes that
must be adhered to based on the criteria for security policies that have been determined.
Policies should outline procedures for safeguarding confidential data, securing network
infrastructure, and controlling resource access.
3. Put security measures in place: Put in place security measures that deal with the security
policies. This entails setting up intrusion detection systems and firewalls ,access controls, and
encryption. The controls should be tested to ensure that they are functioning as expected and
providing the required level of security.
 4. Test security controls: Test the security controls to ensure that they are functioning as expected
and are providing the required level of security. To find any gaps in the security controls, this
involves running penetration tests and vulnerability scans.
5. Monitor security controls: Monitor the security controls to ensure that they continue to provide
the required level of security. This involves monitoring for security occurrences, reviewing
security logs, and conducting security audits.
6. Update security policies: Regularly review and update security policies to ensure that they
continue to meet the requirements of the change initiative. This includes incorporating feedback
from stakeholders and identifying any changes in regulatory or compliance requirements.

Having a clearly outlined incident response strategy is crucial for handling security issues that may arise
during the change management process. This plan should detail steps for detecting, controlling, and
resolving security incidents.

Through the adoption of these processes for managing security policies, companies can guarantee that
changes are handled securely. Successful security policy management is essential for the effectiveness
of change management. By creating a thorough security policy and executing a robust process for
managing it, organizations can guarantee that all alterations adhere to the established security protocols,
safeguarding their assets against unauthorized access or theft.

Control deployment and execution

Control deployment and execution are critical parts of change management because they help
organizations reduce the risks associated with change and ensure compliance with information
security requirements. To effectively deploy and execute controls, organizations must develop a
control plan that describes the specific controls that will be used to mitigate the risks associated with
each change initiative.

Sharing responses is an important part of the control deployment and execution process.
Organizations must determine who is responsible for implementing and monitoring controls. This helps
ensure that the process of deployment and execution controls is accountable. Controller testing is
another important step in the controller deployment and execution process. Organizations must verify
that they function as expected and provide the required level of security. This can be done through
simulation exercises or live testing.

Control monitoring is also important in the control deployment and execution process. Organizations
must monitor controls to ensure that they continue to maintain the required level of security. This
includes tracking security incidents, analyzing security logs and conducting security audits. In the
process of deployment and execution supervision, another important aspect is reporting on the
effectiveness of supervision. Organizations must report on the effectiveness of controls to
stakeholders, including management and auditors. This helps ensure that stakeholders are informed of
the effectiveness of controls in mitigating the risks associated with change.
Finally, it is important to regularly review and update the control plan to ensure that it continues to meet
the requirements of the change initiative. This includes identifying any changes in regulatory or
compliance requirements and incorporating feedback from stakeholders.

Overall, effective control deployment and execution are critical parts of the change management
process. By following these steps, organizations can ensure that changes are managed in a secure
manner and that security requirements are met.

Identity management processes

Identity management processes are a crucial component of change management as they help
organizations ensure that only the right people have access to the right resources at the right time. The
overall goal of identity management is to provide a secure and compliant way to manage identities,
user accounts, and access rights across an organization's systems and applications. There are several
key components of identity management that are relevant to change management:
Identity management processes are an integral part of identity management because they help
organizations ensure that only the right people have access. to the right resources at the right time.
The overall goal of identity management is to provide a secure and compliant way to manage
identities, user accounts and access rights for an organization's systems and applications. There are
several important parts of identity management that are important to change management:
First, identity management is an important part of identity management. This includes creating and
managing user accounts and access rights in the organization's systems and applications. During
change management, it is important to ensure that new user accounts are created and existing
accounts are updated or deactivated as needed. This helps ensure that only authorized people can
access critical systems and applications.

Second, authentication and authorization are also important parts of identity management 16 .
Authentication is the process of verifying a user's identity, while authorization refers to granting access
to certain resources based on the user's role and access rights. During change management, it is
important to ensure that authentication and authorization mechanisms exist and are working as
expected. This helps prevent unauthorized access to sensitive systems and applications.

Third, access control is another important part of identity management. Access control involves
controlling access and managing systems and applications based on user roles and responsibilities.
During change management, it is important to ensure that access control mechanisms are in place to
prevent unauthorized access to systems and applications, especially when risk increases.

Fourth, identity verification is an important part of identity management. Identity verification involves
verifying the identity of users before granting them access to systems and applications. This can be
achieved through a variety of mechanisms such as multi-factor authentication, biometric authentication
and identity verification questions. Authentication helps ensure that only authorized users can access
systems and applications.

Finally, identity management is another important part of identity management. This includes ensuring
identity management is compliant and secure, including monitoring user activity, identifying and
mitigating identity risks, and enforcing compliance policies. During change management, it is important
to ensure that identity management policies and procedures are in place to help manage the risks
associated with change.

Risk and Compliance Assessment

Risk and compliance assessment is a critical component of effective change management processes.
It involves identifying potential risks associated with the proposed change and evaluating its
compliance with regulatory requirements and industry standards. Conducting a risk and compliance
assessment helps to ensure that the proposed change does not negatively
impact the organization's operations, security, or compliance with applicable laws and regulations.

The first step in assessing risk and compliance is to identify the potential risks associated with the
proposed change. This may include risks to data integrity, system availability or regulatory compliance.
Risks can come from a number of sources, including the change itself, external factors such as
changes in laws or regulations, or internal factors such as employee behavior or system vulnerabilities.

Once potential risks are identified, they should be assessed. For this, it is necessary to assess the
possible impact of the risk and the probability of its realization. Risks that are more likely to occur and
have a greater potential impact should be mitigated as a priority.

Based on the severity of the known risks, risk management strategies should be developed to reduce
the likelihood and impact of the risk. This may include contingency plans, implementation of additional
security measures or additional testing.

Compliance with legal requirements should be assessed as part of a risk and compliance assessment.
This includes evaluating the proposed change against applicable laws, regulations and industry
standards. Non-compliance can result in financial penalties, legal action and reputational damage.

Results of the risk and compliance assessment must be thoroughly documented, including identified
risks, severity assessment and risk mitigation strategies. This documentation must be kept in a safe
and easily accessible place. It is important to regularly review and update the risk and compliance
assessment, especially when changes are made to \the proposed change, regulatory requirements or
industry standards.

Risk and compliance assessment is essential to effective change management. . This helps identify
potential risks and ensure compliance with regulations and industry standards. By identifying potential
risks, assessing risk significance, developing risk management strategies, ensuring compliance,
documenting the assessment and regularly reviewing and updating it, organizations can ensure that
their change management processes
are effective and compliant.

Performance indicators
Performance indicators are key metrics that can be used to assess thesuccess of change
management processes. They provide a way to track progress and identify areas for improvement.

Some common performance indicators include change success rate, time to implement change,
change backlog, change lead time, change failure rate, customer satisfaction, and cost savings.

Change success rate measures the percentage of changes that are implemented without any negative
impact on the organization. Time to implement change tracks the amount of time it takes to implement
a change, from initiation to completion. Change backlog measures the number of proposed changes
that have not yet been implemented, while change lead
time tracks the time it takes for a proposed change to move through the change management process.
Change failure rate measures the percentage of changes that are not successfully implemented or that
result in negative impact on the organization. Customer satisfaction measures the satisfaction of
stakeholders, such as end-users or customers, with the change
management process. Cost savings measures the amount of cost savings
achieved through effective change management processes, such as reducing
downtime or avoiding rework.

Regularly tracking and analyzing these performance indicators can help organizations identify areas
for improvement and measure the success of change management processes. By setting measurable
goals and tracking progress towards those goals, organizations can continuously improve their change
management processes and achieve greater efficiency and
Effectiveness.

Process integrity and compliance records

Process integrity and compliance records are an essential part of change management, providing an
audit trail to demonstrate compliance with established policies, procedures, and regulatory
requirements throughout the change management process. To ensure process integrity and
compliance, organizations should establish clear policies and procedures that outline the change
management process, including roles and responsibilities, change request forms, change approval
processes, testing procedures, and implementation plans.

Throughout the change management process, compliance records should be maintained, including
records of change requests, approvals, testing results, and implementation plans. These records help
organizations demonstrate compliance with regulatory requirements and internal policies, providing an
audit trail to support ongoing compliance.

Regular audits of change management processes should be conducted to

ensure ongoing compliance and identify areas for improvement. The audit process should include a
review of compliance records, identification of any non-compliance issues, and development of
corrective action plans to address those issues.
By maintaining comprehensive compliance records and conducting regular audits, organizations can
ensure the integrity of their change management processes, minimize risk, and ensure the success of
change management initiatives.

Command and Control Management

A centralized decision-making structure, where decisions are made by a small number of people at the
top of the organizational hierarchy and then trickle down to lower-level employees, is the basis of
command and control management. When used in relation to change management, the term
"command and control management" can allude to a top-down strategy in which higher-level
executives make decisions about the change and subsequently inform lower-level staff members.

Although command and control management has its uses, it is sometimes criticized for being rigid and
unadaptable.When it comes to change management, a command and control strategy may backfire
and cause employees to lose faith in the process because they don't think their opinions matter or are
taken into account when making decisions.

Organizations can take a more inclusive and collaborative approach to change management in order
to reduce the risks related to command and control management. This can entail asking staff members
for their opinions and input, involving them in decision-making, and involving them in the change
process at all organizational levels. Organizations can increase employee buy-in and support for
change and increase the change's long-term success by taking a more collaborative approach.

Control effectiveness assessment process

The effectiveness of the controls put in place to manage the risks related to the change can be
assessed using a process called the control effectiveness assessment. The process can assist in
ensuring that controls are in place, effective in reducing the risks associated with the change, and that
any modifications to the controls are doing so as intended.

For instance, controls like user access controls, segregation of duties, and system validation checks
may be put in place if a financial system is being modified to enhance its functionality in order to
reduce the risks involved with the change. The efficiency of these controls in reducing those risks could
be assessed using a control effectiveness assessment procedure.

The procedure might involve determining which controls have been put in place to manage the risks
connected to the change, testing those controls to make sure they are operating as intended, and
evaluating how well those controls are mitigating the risks that have been identified. Should the
controls prove to be ineffectual, suggestions for enhancements or supplementary measures could be
provided.

Organizations can make sure that the controls implemented to manage the risks associated with the
change are effective and that any modifications made to the controls are also effective in mitigating
those risks by performing a control effectiveness assessment process in the context of change
management. This can make it more likely that the change will be successful and the organization will
be able to meet its goals.

Outcomes assessment process

A useful method for assessing a change management initiative's efficacy is the outcomes assessment
process. During this process, the initiative, its aims and objectives, and the results that were attained
are all thoroughly reviewed. Clearly defining the aims and objectives of the change management
program is the first step in the outcomes assessment process. This will make it easier to make sure
that the evaluation is concentrated on the initiative's most crucial elements and that the findings have
significance.

The gathering of data regarding the change management initiative's results is the next stage. Data on
improvements in productivity, quality, customer satisfaction, and other pertinent metrics may be
included in this. After gathering the data, it needs to be examined to see if the change management
program was successful in achieving its objectives. Comparing the data to pre-implementation metrics,
benchmarks, or industry standards may be part of this analysis.

Following the outcomes assessment process, stakeholders including senior management, project
sponsors, and clients are informed of the findings. The initiative's goals and objectives, the data
gathered, and the analysis of the findings should all be spelled out in detail in the report.
Recommendations for areas in need of improvement and prospects for new projects may also be
included in the report.

The change management initiative can be modified and areas for improvement can be found by using
the outcomes assessment process. This can guarantee that successive efforts are even more fruitful.
All things considered, an outcomes assessment procedure is a valuable instrument for assessing the
accomplishment of a change management program and guaranteeing that a company can meet its
goals.

Data and Information Protection Management

The process of managing and regulating changes to IT systems, infrastructure, applications, and
services in an organized and methodical manner in order to reduce risk and preserve business
continuity is known as change management. It is crucial to take data and information protection into
account when making changes.

It is important to identify and categorize sensitive data before making any 21 modifications to the IT
environment. This can guarantee that, in accordance with the degree of sensitivity of the data, the
proper protection measures are implemented. Financial information, intellectual property, personally
identifiable information (PII), and other private information are a few examples of sensitive data.
To determine possible dangers and effects of making changes to sensitive data, a risk assessment
should be carried out. This can assist in ascertaining the suitable degree of safeguarding and
mitigating actions required to lower risk to a manageable level. Risks can include losing sensitive data
availability, unauthorized access, and data integrity.

It is important to put access control mechanisms in place to guarantee that only individuals with
permission can access sensitive information. Role-based access control, access log monitoring, and
authentication methods like passwords or biometric identification are examples of access control
measures. These steps can aid in preventing unwanted access to private information.

Sensitive data should be encrypted both in transit and at rest to protect against unauthorized access.
Encryption technologies such as SSL/TLS, AES, and RSA can be used to secure data in transit and at
rest. Encryption can help prevent data breaches and protect sensitive data from being accessed by
unauthorized users.

Regular backups of data should be performed and securely stored off-site to ensure that data can be
recovered in case of a disaster or other unexpected event. Backups can help prevent data loss or
corruption during the change management process. The backup process should be tested regularly to
ensure that data can be recovered in the event of a disaster.

IBM solutions can be used to help ensure data protection and compliance with relevant regulations.
Some key considerations for data and information protection management in change management
include:
1. Data classification: Identifying and categorizing data based on its sensitivity and importance
can help ensure that appropriate protection measures are in place.
2. Access controls: Implementing access controls such as role-based access control and multi-
factor authentication can help ensure that only authorized individuals have access to sensitive
data.
3. Encryption: Encryption can help protect data both at rest and in transit, ensuring that even if
data is intercepted or stolen, it cannot be read without the appropriate decryption key.
4. Audit and logging: Keeping logs of all activities related to sensitive data, including access
attempts and modifications, can help ensure that any unauthorized activity is quickly detected
and addressed. 2
5. Compliance monitoring: Regularly monitoring compliance with relevant regulations and industry
standards can help ensure that data protection measures remain effective and up-to-date. Data
and information protection management is an essential aspect of change management to
ensure that sensitive data is protected throughout the change management process. By
implementing appropriate data protection measures and conducting regular risk assessments,
organizations can minimize the risk of data breaches and ensure business continuity.

IBM Solutions
IBM provides a range of solutions for data protection management to help organizations protect their
sensitive data from unauthorized access, data loss, and corruption. IBM solutions that can help
address data and information protection management in change management include:

● IBM Guardium: A data security and compliance solution that can help organizations monitor
and protect sensitive data across databases, file systems, and big data environments.
● IBM Security Identity Governance and Intelligence: A solution that can help organizations
manage access controls and ensure compliance with relevant regulations and industry
standards.
● IBM Cloud Pak for Security: An integrated security platform that can help organizations detect
and respond to security threats across hybrid cloud environments.
● IBM QRadar: A security intelligence platform that can help organizations monitor and analyze
security data from a variety of sources to detect and respond to security incidents.

By integrating these solutions into the change management process, organizations can help ensure
that data and information are adequately protected throughout the change process, minimizing the risk
of data breaches or other security incidents.

Software, System, and Service Assurance

A collection of procedures and technological tools known as assurance for change management are
intended to guarantee the caliber, dependability, and accessibility of systems, software, and services
throughout the change management procedure. These solutions usually combine manual review and
approval procedures with automated analytics, testing, and monitoring tools.

Software assurance in software development is evaluating and validating the program's performance,
security, and functionality to make sure it satisfies the necessary requirements and specifications. In
addition to security and vulnerability testing, this can also involve user acceptability, integration, and
unit testing.

System assurance involves ensuring the reliability and availability of hardware systems and
infrastructure, such as servers, storage devices, and networking equipment. This can involve regular
maintenance and monitoring, as well as disaster recovery and business continuity planning.

Service assurance involves ensuring the quality and availability of IT services, such as help desk
support, application hosting, and cloud computing services. This can involve monitoring and managing
service-level agreements (SLAs), as well as ensuring the availability and performance of underlying
systems and infrastructure.

Before changes are implemented in production environments, they should be carefully tested,
approved, and monitored. This can be ensured with the use of software, systems, and service
assurance solutions. This can lessen the possibility of data loss, system failures, and other unfavorable
effects from poorly handled changes.
Software, System, and Service Assurance makes sure that before any modifications are implemented,
they are carefully tested, validated, and compliant with quality standards. A more thorough explanation
of how these elements can be handled in change management is provided below:
1. Define Quality Standards: Clearly define the quality standards that must be met for software,
system, and service changes. This may include standards for software testing, system
validation, and service level agreements. Quality standards should be established based on
industry best practices, regulatory requirements, and organizational policies.
2. Implement Automated Testing: Implement automated testing tools and processes to help
ensure that changes are thoroughly tested and validated before being implemented. This can
include unit testing, integration testing, regression testing, and performance testing. IBM
provides tools such as IBM Rational Quality Manager and IBM Rational Test Workbench to
support automated testing.
3. Establish Configuration Management: Implement configuration management processes to
ensure that all software, system, and service components are properly identified, documented,
and tracked. This can include version control, change management, and release management.
IBM provides solutions such as IBM Rational ClearCase and IBM Rational ClearQuest to
support configuration management.
4. Conduct Audits: Conduct regular audits to ensure that all software, 24 system, and service
changes are being implemented in accordance with established quality standards and
processes. Audits should be conducted by an independent party to ensure objectivity and
impartiality. IBM provides solutions such as IBM Rational Policy Tester to support compliance
auditing.
5. Monitor Performance: Continuously monitor the performance of software, systems, and
services to identify potential issues and ensure that quality standards are being met. This can
include monitoring for system availability, response times, and error rates. IBM provides
solutions such as IBM Tivoli Monitoring to support performance monitoring.
6. Establish Service Level Agreements (SLAs): Establish SLAs to define the level of service that
will be provided for software, systems, and services. SLAs should be based on the needs of the
organization and should include metrics such as availability, response time, and support hours.
IBM provides solutions such as IBM Tivoli Service Level Advisor to support the establishment
and management of SLAs.

Threat and Vulnerability Management

Threat and Vulnerability Management is the process of identifying, assessing, and mitigating security
risks to an organization's information technology systems, networks, and applications. Threat and
vulnerability management is a critical component of change management, as it helps to identify and
address potential security risks associated with changes being made to software, systems, and
services.

The following procedures outline how threat and vulnerability management can be included into the
change management process:
1. Identify Potential Threats and Vulnerabilities: The first step in threat and vulnerability
management is to identify potential threats and vulnerabilities associated with the changes
being made. This may include reviewing security logs, conducting vulnerability scans, and
 analyzing potential attack vectors. This also involves assessing the organization's assets and
identifying potential threats and vulnerabilities that could impact them. It includes conducting
risk assessments, vulnerability scans, and penetration testing.
2. Assess Risks: Once potential threats and vulnerabilities have been identified, the next step is to
assess the risks associated with each. This involves evaluating the likelihood and potential
impact of each threat and vulnerability, and determining which ones pose the greatest risk to
the organization and which risks need to be addressed first.
3. Implement Controls: To mitigate the risks associated with identified threats and vulnerabilities,
controls must be implemented. These controls may include implementing security patches,
updating access controls, and implementing intrusion detection systems. IBM provides a range
of security solutions such as IBM QRadar and IBM Security Identity Governance and
Intelligence to help implement controls.
4. Monitor and Test: Once controls have been implemented, it is important to continuously monitor
and test the effectiveness of these controls. This may involve regular vulnerability scanning and
penetration testing, as well as monitoring security logs and user activity. IBM provides solutions
such as IBM Security AppScan and IBM Security Access Manager to help with monitoring and
testing.

These steps will help to ensure that changes are made in a secure and compliant manner.

Threat and Vulnerability Management typically involves a number of different activities, including
scanning for vulnerabilities, analyzing and prioritizing identified threats, and implementing security
controls and mitigations to reduce the risk of a successful attack.

Threat and Vulnerability Management also involves ongoing monitoring and reporting to ensure that
security measures are effective and up to date in the face of evolving threats and attack vectors. This
may include the use of security information and event management tools, intrusion detection systems ,
and other monitoring technologies.

Effective Threat and Vulnerability Management requires a comprehensive approach that involves not
only technology solutions, but also policies, procedures, and training programs that help ensure that all
personnel are aware of the risks and best practices for maintaining security.

Introducing a maturity model for change management controls

Organizations can evaluate their current level of control effectiveness and pinpoint opportunities or
areas for improvement by introducing a change management control maturity model. Usually, a
maturity model is composed of several stages, each of which denotes a different stage of
implementation maturity for change management controls.

Ad hoc, poorly defined, and reactive change management processes are usually indicative of the first
stage of a maturity model. Since there is currently little to no formal control over the change
management process, changes can be made without the necessary approval or review .
The creation of more structured change management procedures characterizes the second stage. This
could entail putting in place change control procedures, forming a change advisory board, and
developing a change management policy.

Process optimization for change management characterizes the third stage. This could entail creating
change management metrics, putting automated change management tools into practice, and creating
service-level agreements (SLAs) for change management.

The integration of change management with other IT service management procedures, like incident
and problem management, is what defines the fourth stage. This could entail putting in place a service
management framework, like ITIL.

A defining feature of the fifth and final stage is the ongoing enhancement of change management
procedures. This could entail implementing a formal change management process improvement
program, adopting best practices for change management, and creating a culture of continuous
improvement.

Organizations can evaluate their current level of control effectiveness and find areas for improvement
by introducing a change management control maturity model. Organizations can increase the efficacy
of their change management procedures, lower the possibility of unfavorable changes occurring, and
improve overall IT service delivery by striving to increase their level of maturity.

IBM solutions to address maturity levels

IBM offers a range of solutions to address maturity levels in change management. These solutions
include IBM Control Desk, IBM DevOps, IBM Service Management Suite for z/OS, IBM Resilient, and
IBM Security Guardium.

IBM Control Desk is a centralized platform for managing IT service requests, incidents, problems, and
changes. It includes a suite of capabilities for change management, such as change request tracking,
change approval workflows, and change impact analysis. This solution can help organizations to
achieve greater visibility and control over their change management processes, by providing a single,
integrated platform for managing all IT service requests and incidents.

IBM DevOps is a set of tools and practices for automating software development, testing, and
deployment. It includes change management capabilities such as version control, release
management, and continuous delivery. By automating the software development lifecycle, DevOps can
help organizations to accelerate their release cycles while maintaining high levels of quality and
compliance.

IBM Service Management Suite for z/OS is a set of tools for managing IBM mainframe environments. It
includes a range of capabilities for change management, such as change tracking, change approval
workflows, and change impact analysis. This solution can help organizations to manage their
mainframe environments more effectively, by providing a centralized platform for managing all aspects
of change management.

IBM Resilient is a platform for managing incident response processes. It includes capabilities for
change management, such as change request tracking, change approval workflows, and change
impact analysis. This solution can help organizations to improve their incident response processes by
providing a centralized platform for managing all aspects of incident response, including changes to
systems and processes.

IBM Security Guardium is a set of tools for managing database security and compliance. It includes a
range of capabilities for change management, such as change tracking, change approval workflows,
and change impact analysis. This solution can help organizations to manage their databases more
effectively by providing a centralized platform for managing all aspects of database security and
compliance, including changes to database configurations and access controls. These solutions can
help organizations to improve the maturity levels of their change management controls by providing
them with the tools and processes needed to manage changes effectively. By using these solutions,
organizations can reduce the risk of negative outcomes associated with changes, improve IT service
delivery, and enhance overall business performance.
 Summary

In conclusion, it is critical to effectively manage the change process for as long as changes are an
integral part of an organization's existence. If organizational changes are not managed, the business
will be exposed to risks. We have provided a set of control procedures and methods in this guide that
can assist in reducing these risks related to IT security. Clear policies and procedures that specify the
steps needed to manage changes are essential to ensuring the security of a change management
process. Creating a thorough approval procedure to guarantee that changes are approved prior to
implementation is part of this. To make sure that all modifications adhere to business guidelines and
industry standards, they should be duly recorded and periodically reviewed. Policies can be enforced,
processes can be automated, and error risk can be decreased with the use of change management
technologies and tools. Regardless of the scope or intricacy of the change, these tools can guarantee
that it is managed consistently and successfully.

Other resources for more information

To learn more details about the IBM Security Framework and the IBM Security Blueprint, refer to the
IBM Redbooks publication Introducing the IBM Security Framework and IBM Security Blueprint to
Realize Business-Driven Security, REDP- 452820 .

The IBM white paper Take a holistic approach to business-driven security 21 provides an overview for
the IBM security approach and IBM Service Management initiatives from a business perspective.