The intersection between information security and change management is our awareness topic for September, covering issues such as:
- Many corporate changes deliver new or modified IT systems and business processes, and most of those have information security requirements - therefore information security risk analysis and security design should be a routine part of project management;
- New and updated laws, regulations and compliance obligations (some of which are relevant to information security, risk, privacy and business continuity) push the organization into changing, as do changes in the information security threats, vulnerabilities and impacts affecting the corporation - in other words, apart from changes driven by the business, it needs to respond to changes in the external environment, including some that affect information security;
- Change control and system security in general are all bar impossible without adequate IT security controls preventing unauthorized changes - so IT or cyber security is an essential element of change control;
- Software patches often address security vulnerabilities, while the need to implement them quickly on vulnerable systems puts pressure on conventional test and release mechanisms - security patch management puts ordinary change management processes under stress [we provided a new template policy on patching and other awareness content about that];
- Significant changes may create unacceptable risks to the organization unless those risks are recognized and treated - it is strongly linked to risk management;
- Changes are often unsettling to employees, and if mismanaged may lead to resentment, resistance and perhaps even retribution against the organization that is perceived to be imposing them - which is a cue to pick up on the human aspects of corporate change.