In my previous blog we talked about the top three change management initiatives we forget to leverage for business benefit. In this second part of the series we look at two further critical areas that are often forgotten.
Identity Management refers to the management, administration and control of individual access within an organization to systems and devices. This is possible when a model is developed that associates user access rights and restrictions to their specific identity within the organization. What this establishes is a mechanism that helps administer what the person can do on the organization’s network and with what specific devices they can do it. This is becoming ever more important with more individuals accessing resources via their mobile devices.
This becomes important and valuable to change management because it manages three basic relationships: person–to-identity, identity-to-resource and access-to-identity. By managing these relationships, identity management can provide a very powerful structure by which change management can improve various components of its process; however, we will examine only two: review request for change and change planning.
During the first stage of change management, where the request is being initially reviewed, it is important to have a good understanding of the magnitude of the change impact even before progressing too far through the change management process. For example, an RFC is submitted to upgrade a certain system to address some faulty functionality and the identity management metrics clearly demonstrate that the individuals with access to it are all from a line of businesses that is about to launch a major sales promotion. With reference to this, it could then easily be inferred that the RFC might need to be scrutinized in a more expedited fashion, so that it either could be implemented faster before the sales promotion, or delayed so as not to affect the sales promotion. Yes, this determination should be captured during the impact assessment activities; however, it is possible that a considerable amount of time might pass between the review and the planning, making the expediting of the RFC impossible.
The change planning stage is the more obvious place where identity management data could improve change management since that is where the impact analysis is performed. In many cases, the impact assessment utilizes the information provided by the requester to assess who, and how many end users, might be affected. If, however, the change manager had available to him actual metrics about the end users and could very definitively establish how many users would be affected, and which lines of business they worked for, then it would greatly improve any decision-making ability in regard to the approval or rejection of the RFC.
The current utilization of asset/inventory management (A/IM) by change management is typically only in regard to inventory and not asset. What this means is that A/IM is typically used for ‘counts’ of devices not ‘costs.’ This improves the assessment of the potential financial impact of the change on the organization. As with any RFC, there are various approvals that might be needed, such as acceptable business risk, technical risk and financial cost.
Also valuable to the change management process would be to better understand the disposition of the device that is being modified. For example, if the device is nearing the end of its life, then it might be worth considering not upgrading the device at some cost and, instead, just allowing it to fulfill its current role without any further financial investment that the RFC might warrant.
Again, as with the identity management metrics, it could be far more efficient and accurate if the Change Manager and/or CAB had available the actual financial details of the device, system or service that was being modified rather than blindly accept the potentially misleading numbers provided by the requester in the RFC. Change management can be a challenge, but it is incredibly valuable. To accomplish it with the limited resources we are often given, it is important not to replicate efforts that are already in place and being performed by other parts of the organization. For this reason, it is important to pause at times and notice what others are doing and ask yourself, ‘Are they producing something that could help me when planning a change?’ ‘Is there data available that I can leverage to perform a better impact assessment?’ ‘Is there a tool that is being used that will help increase the success of implementing a change?’ ‘Are there opportunities to utilize other groups’ efforts to help with performing post-implementation reviews on changes?’
There are many other, smaller efforts occurring in your organization of which you may not be currently aware that could greatly benefit your change management effort. Just pause for a few minutes every once in a while and look at what others are doing that could help you. You only need to leverage one or two every year to realize major improvement in the capability of your change management process and, more importantly, the business outcomes it contributes to your organization.
What are your thoughts? Add your comments below and join the conversation!
Latest posts by Carlos Casanova (see all)
- Cybersecurity the Focus in Maryland with CyberMaryland 2017 - September 21, 2017
- Cybersecurity – Protecting the Internet a Shared Responsibility - September 7, 2017
- OWASP Top 10 Project Needs Your Support - September 5, 2017