Service Desk Practitioners Forum

Change Management and SOX

Regular Contributor.

Change Management and SOX


SOX gives us lots of requirement to change management process. We have to implement in OVSD. Does HP have any plan to update OVSD to be compliance with SOX?

For example, change management of ITSM is for infrastructure change, we want to use same tool to manage application change. Application change need approval from business owner before release to production system. But usually they are not OVSD user, that means they do not have OVSD account, and we can not create account for them since there are many many people. How to deal with this?
Mark O'Loughlin
Acclaimed Contributor.

Re: Change Management and SOX


the way I would look at this is that in order to have SOX compliance you need to have a framework of an IT standard behind it say CobIT or ITIL/ITSM. These frameworks can share common ground. So i don't think that it is a case of changing OVSD to be SOX compliant. It is ITIL/ITSM compliant which is one of the frameworks that can be used to achieve SOX compliance. It should also be able to accommodate CobIT but could need some additional customisation.

In your example in managing application changes you could look at managing these through a release program and through this you could control the number of approvers required for application releases. At a minimum have a release manager. In one situation similar to you a release manager was set up and they made the approval vote (with only 1 other manager and the IT director signing off on the release). The additional approvals were sent to the release manager via e-mail. The process defined that it was his responsibility to get all business sign-offs via e-mail and attach them to the relevant change request. The process also defined who was reponsible to provide sign-off for each application.

It was messy in a way but that's what the customer wanted in the end to save having to create a large number of login's for each manager and save training then in using the tool.

So by using a framework, clearly defined processes and the tool you should be able to cover what's required for SOX compliancy