Jail Management System - Maricopa County
Jail Management System - Maricopa County
Jail Management System - Maricopa County
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Issue 4 Change <strong>Management</strong><br />
Summary<br />
MCSO does not have a formalized change management process for authorizing, testing, and<br />
approving the <strong>Jail</strong> <strong>Management</strong> <strong>System</strong> (JMS) changes. JMS developers have unrestricted<br />
access to the application. If unauthorized or untested changes are introduced into JMS, they<br />
could create data integrity and system availability issues. MCSO should strengthen its change<br />
management controls.<br />
Criteria<br />
COBIT recommends the following change management practices:<br />
Condition<br />
Ensuring applications are aligned with business requirements<br />
Managing IT changes in a formal, documented, and controlled fashion<br />
MCSO has not formalized its change management policy and procedures. Change management<br />
procedures standardize the system change processes. Currently, the MCSO Technology Bureau<br />
receives and coordinates requested changes via email with the agency requestor. Approvals are<br />
handled informally and are not consistently documented before being moved into production<br />
(where “live” transaction processing occurs). Developer access to the JMS production<br />
environment is not appropriately restricted.<br />
Effect<br />
Formal change management procedures introduce system changes in a controlled and<br />
coordinated manner and prevent unplanned, unauthorized, and untested changes to JMS.<br />
Effective change management procedures also reduce the risk of service disruption and<br />
associated costs.<br />
Cause<br />
MCSO Technology Bureau staff report that resource constraints have prevented them from<br />
documenting change management procedures. Instead, they have relied on their extensive JMS<br />
experience to compensate for this control weakness.<br />
Recommendations<br />
MCSO should:<br />
A. Develop a formalized process for authorizing, testing, and approving JMS changes.<br />
B. Limit developers’ access to JMS and/or implement system monitoring controls to identify<br />
and review the appropriateness of system changes.<br />
<strong>Maricopa</strong> <strong>County</strong> Internal Audit 12 <strong>Jail</strong> <strong>Management</strong> <strong>System</strong>–May 2012