I've seen a lot of organizations with very weak to no program change management controls, and as a result not only some outages and embarrassments have occurred from putting buggy programs into production, but privacy breaches have also occurred. It seems from the many continuing exploits of online applications that there is still work to be done around application program change controls.

I actually got into the information security, privacy and compliance path way back at the beginning of my career as a result of creating and maintaining the program change control system at a large financial/insurance company.

The programs were all housed in an IBM 360 mainframe (where most of them still are today...funny how mainframes now seem to be high-speed application servers) divided into three regions for each of the several business unit regions.

My change control system was used to move a program from the test region to pilot region to production region within each of the applicable business unit regions. It was an online system that required authorizations for each of the moves. A manager had to approve, through the online system, of the move from test to pilot. A director had to approve, through the online system, of the move of a program from pilot to production. The documented procedures required the managers and directors to carefully review the change documentation, and proof of thorough testing as signed off by the program team leader or manager, respectively, before they would provide their approval within the system.

The concept was good. The system was good. The procedures were good. Unfortunately many of the individuals using the system were not so good.

It was a real frustration for me to walk through the many different programming areas (we had around 700 programmers at the time) on Thursdays (the last day of the week for directors to approve of program changes to be moved into production on Friday) and see so many of the directors with their terminals logged on and open to access (no PCs were used in the programming area at the time...that actually didn't change until the mid-1990s), and not even at their desks or in their offices, so that the programmers could go in and make the online approvals themselves!

"What the...!!!"

That bothered me for a couple of reasons...

• At a personal level, I wondered why I put so much time and effort into creating a sound, tightly controlled change control system, only to have the people authorized to use it defeat those controls.
• At a business level, I saw how dangerous this was. As a result of these managers and directors not really doing the reviews, each week we had a large number of production moves that had to be backed out on Friday afternoons because of the problems they caused. Many were very minor problems, but some brought the system to a stand still or even messed up the customer databases significantly before the problems were noticed.

After being responsible for this online change control system for around a little over a year, there was an opening in the IT Audit area. Working on the change control system helped me to see firsthand the importance of controls, so I applied for, and got, the IT Audit opening to learn more about how controls impact business.

One important lesson, then, is that even with the greatest systems and procedures in place, if the individuals who are authorized to use the systems, and make the move authorizations, do not follow procedures...because it is too inconvenient, time consuming, not worthwhile in their viewpoints, or whatever...the controls will be defeated and incidents and problems will occur.

Be sure to look beyond just the documentation and the systems capabilities within any change control system; also observe how well individuals are following those procedures.

Technology tools are necessary and good to support information security and privacy, but they cannot, by themselves, provide effective safeguards for business information.

• Personnel MUST receive EFFECTIVE training and ongoing awareness communications to know not only WHAT they must do to safeguard information, but also WHY.
• Noncompliance with policies and procedures must be consistently enforced, or the policies and procedures will not be effective.
• Business leaders, from the CEO down, MUST support information security and privacy efforts; they set the example that the rest of the people in the organization follow.

BTW, after I went to the IT Audit area, the common practice for leaving unattended terminals and PCs logged in and unsecured, allowing others to use them, changed. :)