Financial Audit Division Report 18-01 | Released January 10, 2018 |
Changes to government systems are necessary to help agencies meet evolving business needs, address new compliance requirements, and fix security vulnerabilities. Closely managing changes is extremely important because all changes pose risks to the stability of highly-complex systems and the availability of critical government services.
Organizations that manage complex technology systems typically adopt strict change management processes. These processes help technology leaders understand and manage risk while making carefully planned changes to systems. The overarching goal of change management is to minimize the impact of change-related incidents.
MNIT Services had generally adequate change management controls. The agency had adequate policies and standards, and changes that we tested followed those standards. However, disparate change management software products and processes may increase the likelihood of change-related failures and prolonged service outages. We also found that MNIT lacks key controls to detect unauthorized changes.