Scribd
Upload
44 views

CAB Change Advisory & Management Process

This document discusses enhancements to a company's change management process. It identifies three types of changes - standard, normal, and emergency changes - and describes what level of authorization is required for each. The document then provides eight recommended enhancements, such as recategorizing some changes as standard, defining a risk matrix to classify changes, integrating the change management database with the configuration management database, and improving the application commissioning process. The overall goal is to streamline the change management process and ensure compliance with best practices.

Uploaded by

Mahaboob Peer
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
44 views

CAB Change Advisory & Management Process

This document discusses enhancements to a company's change management process. It identifies three types of changes - standard, normal, and emergency changes - and describes what level of authorization is required for each. The document then provides eight recommended enhancements, such as recategorizing some changes as standard, defining a risk matrix to classify changes, integrating the change management database with the configuration management database, and improving the application commissioning process. The overall goal is to streamline the change management process and ensure compliance with best practices.

Uploaded by

Mahaboob Peer
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 3

Change management Process Enhancements:

Types of Changes:

 Standard changes.

These are low-risk, well-understood, fully documented, pre-authorized changes that can be
implemented without needing additional authorization. They are typically implemented as service
requests but may also include operational changes.

These changes doesn’t need Change Plan, Backout Plan, and Test Plan

o Firewall Changes
o URL Access Request
o Internet Access
o New user creation etc..

Operational changes like adding user to AD group, Service account creation, enhamcement to an
application.

 Normal changes.

These are subject to review by a change advisory board (CAB), which typically meets once a week and
requires change requests to be submitted a few days before the CAB meeting.

All Normal Changes must include planning details (Change Plan, Backout Plan, and Test Plan

o Code changes in production & deployment


o Changes that required downtime like Device upgrades
o Agent Deployment to servers/desktops for Security solutions/monitoring
 Emergency changes.

These are changes that must be made very urgently to resolve an issue such as a service interruption, a
significant security vulnerability, or any other need to implement a change before the CAB can meet to
authorize it. Emergency changes are reviewed by an emergency change advisory board (ECAB), which
meets as needed – possibly electronically.

Ex: Isolating the network

Emergency patch for a Zero Day

Service outage
Recommended Enhancements:

1. Review the current change request list (Standard &Normal) and recategorize them into
standard/Normal changes which need CAB review
 It was observed in the current CAB change request list that some of the requests like below
doesn’t need CAB review which can be standard and are operational changes which doesn’t
impact any services.
 Ex: Firewall change Requests
2. Define CAB change request classification risk matrix.
 Severity of the request type and impact of it should be defined based on which it can be decided
whether it has to go to CAB review or not.
 Currently there is no such impact or risk severity which define impact the categorize the change
as normal/standard etc..
 Based on the result the approval workflow can be defined as sample below

Change Type Category Approval Authority


Standard Minor Local authorization
Normal Minor Change manager
Major CAB
Emergency Minor Change manager
Major Emergency CAB

3. Asset Mapping with the Change Request & CMDB integration


 Map the assets involved in the CR as Configuration Item to CR while/before the
asset/application goes into production.
 Define Asset Classification (Confidential/Record etc..)
 Integrate the applicable changes with CMDB

4. Define Clear Roles and Responsibilities of the change Management Process


 No Clear Roles and responsibilities of the different stakeholders involved in the process
have bene defined clearly at present and RACI Matrix as well.
5. Transparency and Visibility of CAB CR to IT Users
 Notify IT users on the CR that go through CAB review so that they are aware of the
network impacting changes happening in the network.
6. Architecture Review doesn’t have to go through CAB review but rather facilitate the reviewer
through proper
 change management task or a process.
 Software development Lifecycle (SDLC) Process

7. CAB/Change management Team as an Independent Stakeholder


 Change management Team should act independently and coordinate with whole IT
stakeholder
 It is best practice that the Change management team closely coordinate with ITSM team
to ensure the different change request handling process is defined and implemented as
per Industry standard and KM Standards
8. Application Commissioning Process :
Current Server commissioning process doesn’t include the below which are necessary for
onboarding an application into production
 Application Scope (Ex: Internal/External/Cloud/SaaS)
 Asset Confidentiality ( Confidential or Company Record or Informational)
 Web application scanning
 Vulnerability scan with application installed.
 Critical application service monitoring

You might also like