Change Management Process

As workers look for better work-life balance and employers need to find talent to fill vital roles, telecommuting can accomplish both goals. More people are looking for the option of remote work when looking for a new job. Companies need developers, security experts, and devops professionals to lead digital transformation work and secure the enterprise. IT Change Management is the process of requesting, analyzing, approving, developing, implementing, and reviewing a planned or unplanned change within the IT infrastructure. The Change Management Process begins with the creation of a Change Request within the company’s selected technology platform. It ends with the satisfactory implementation of the change and the communication of the result of that change to all interested parties. Several studies show that the trend toward telecommuting is not going away. Even if telework is not the norm for your company, it can be an important tool to use during a regional or national crisis. Most companies can best navigate telecommuting jobs by setting clear expectations, roles, and responsibilities and using collaborative platforms. Telecommuting is becoming more of a business strategy than a perk for small companies looking to find the right people. To achieve this, the change management process includes the following primary steps (note that all information collected in the steps below is documented in a Change Record created in the company’s selected technology platform):

• Formally Request a Change. All requests for change will be documented within the company’s selected technology platform by creating a new change record. The completion of a new request for change will be completed by the Change Coordinator with input from the Change Requester. • Categorize and Prioritize the Change. The Change Coordinator will assess the urgency and the impact of the change on the infrastructure, end user productivity, and budget.

• Analyze and Justify the Change. The Change Coordinator works with the change requester and the change initiator to develop specific justification for the change and to identify how the change may impact the infrastructure, business operations, and budget. The Change Coordinators use this information to further research and develop an extensive risk and impact analysis. When completing the analysis of the change, the Change Coordinator must ensure they consider the business as well as the technical impacts and risks.

• Approve and Schedule the Change. The Change Coordinator uses the company’s selected technology platform to record an efficient process for routing the Request for Change (RFC) to the Change Coordinator, technical approvers, business approvers and, in the event of a major or significant change, to the Change Advisory Board (CAB) for approval or rejection of the change. • Plan and Complete the Implementation of the Change. This process includes developing the technical requirements, reviewing the specific implementation steps and then completing the change in a manner that will minimize impact on the infrastructure and end users.

• Post-Implementation Review. A post-implementation review is conducted to ensure whether the change has achieved the desired goals. Post-implementation actions include deciding to accept, modify or back-out the change; contacting the end user to validate success; and finalizing the change documentation within the company’s selected technology platform.

Our observation of clients and case studies found that telecommuting two or three days a week seems to create the right balance between working at home and working at the office. These industries have the highest percentages of people who telecommute: Healthcare at 15%, Technology at 10%, and Financial Services at 9%, relative to their share of the total workforce.

Information Security Management

In an age of increasing data usage and the risk of information security breaches and cyber-attacks, the benefits of an information security management system (ISMS) are clear. Not only can it help to minimize the chance of such breaches occurring, it can reduce the costs associated with keeping information safe. ISO/IEC 27001 is widely known, providing requirements for an ISMS, though there are more than a dozen standards in the ISO/IEC 27000 family. Using them enables organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties. An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process. It can help small, medium and large businesses in any sector keep information assets secure. Like other ISO management system standards, certification to ISO/IEC 27001 is possible but not obligatory. Some organizations choose to implement the standard in order to benefit from the best practice it contains while others decide they also want to get certified to reassure customers and clients that its recommendations have been followed. ISO does not perform certification.

The attraction of cybercrime to criminal hackers is obvious: tangled webs of interactions, relatively low penalties, disjointed approaches on money laundering and potentially massive payouts. The key is preparation and seeing vulnerabilities, and resilience, in terms of interactions with overall management systems, and that’s where information security management systems (ISMS) standard ISO/IEC 27001 comes in. We now know it’s true that risks that threaten information, business processes, applications and services are continually evolving. ISO/IEC 27001 is a continual improvement standard, which means the built-in risk management process allows businesses to keep up to date in their fight against cybercrime. the continual improvement aspect of ISO/IEC 27001 means that an organization can assess its risks, implement controls to mitigate these, and then monitor and review its risks and controls, improving its protection as necessary. In that way, it’s always on the ready and prepared for attacks:

Software attacks, theft of intellectual property or sabotage are just some of the many information security risks that organizations face. And the consequences can be huge. Most organizations have controls in place to protect them, but how can we ensure those controls are enough? The international reference guidelines for assessing information security controls have just been updated to help. For any organization, information is one of its most valuable assets and data breaches can cost heavily in terms of lost business and cleaning up the damage. Thus, controls in place need to be rigorous enough to protect it, and monitored regularly to keep up with changing risks. The technical specification (TS) has recently been updated to align with new editions of other complementary standards on information security management, namely ISO/IEC 27000 (overview and vocabulary), ISO/IEC 27001 (requirements) and ISO/IEC 27002 (code of practice for information security controls), all of which are referenced within. In a world where cyber-attacks are not only more frequent but increasingly harder to detect and prevent, assessing and reviewing the security controls in place needs to be undertaken on a regular basis and be an essential aspect of the organization’s business processes. ISO/IEC TS 27008 can help give organizations confidence that their controls are effective, adequate and appropriate to mitigate the information risks the organization faces.

At the business level, it remains a formidable task to model and mitigate threats from all conceivable angles. There’s a clear need to use a unified, integrated security system across the whole business and, given the complexity of interrelationships. ISMS are applicable to all types of organization and all types of business activities, including those of SMEs. Many SMEs are part of supply chains, so it’s essential that they are in control of, and manage, their information security and cyber-risks in order to protect themselves and others. A business’s obligations are typically defined in service-level agreements (SLA), contracts between partners of the supply chain that detail service obligations and requirements and establish legal liabilities, and that ISMS often form an integral part of such agreements. There are challenges attached to online business for SMEs, but they are far outweighed by the enormous potential that has been opened up by the Internet. It could be argued that it is smaller businesses that have been the most enabled by technology. Anybody – who has a design; who has a computer; who can get on the Web; has access to a platform – can become a part of international trade. The upsides for social and economic development are enormous: the Internet brings global reach to growing numbers of previously isolated individuals and communities. However, a proven and prudent approach such as ISMS is needed to mitigate the downsides.

Our private lives may be less complex than global business, but just as much is at stake. For many of us, simply following best practices for passwords and security updates (and bearing in mind that if it smells fishy, or looks too good to be true, then it almost certainly is) should help keep us safe from cybercriminals, much of the time. But people are increasingly asking questions about the way that institutions and companies store, analyse and monetize the vast amounts of data that we hand over more or less voluntarily. When privacy, finances, individual or corporate reputation are threatened, it undermines confidence and impacts our behaviour, both online and in real life. The role of the ISO/IEC 27000 family in allowing us to continue to advance is paramount. With many reasons to feel anxious as almost every aspect of our lives becomes digitized, it’s reassuring to know that there’s a family of standards to count on for information security management systems, and MEP Digital Systems is working with a global group of experts to keep clients one step ahead.

Business Continuity Planning: Remote Work

The coronavirus (or Covid-19) is taking a more serious turn in the South Africa with warnings that it could very well impact how, when, and where we work: That's a lot of disruption for the technology industry and for most industries, especially since the virus has not spread very far in the country yet. The global spread of the virus may be a moment that reveals whether employers are ready to respond rapidly to unexpected workplace changes. Business travel will decrease or come to a full stop. More employees may need to work outside of local “business hours” and use video conferencing to operate across time zones. And, if it gets bad enough, many could indeed be asked, or request, to work remotely. Thanks to digital transformation and cloud computing, you probably already have migrated a lot of work to the cloud. You may also have collaboration tools in place such as chat software and video conferencing. If you haven't prepared at all for such an event, it's a good idea to start with a team of maybe eight employees and tell them all to work from home. That team works from home for one day with each person doing their normal work. They should be able to interact with co-workers, clients, and partners as weel as use all the systems the company has set up. Perform regular assessments. How did it go? Were there any hiccups? That's where you need to direct your attention. Troubleshoot the problems and then roll out the solutions to the team. It's only through practice that you will turn this new way of working into muscle memory, making it as natural as working at your desk at the office. You need to plan as if the only way to remain operational will be for as many employees as possible to work remotely. Gather a cross-functional team together that includes business-line leaders, IT, HR, communications, and facilities to start to plan for different scenarios and optimize execution, should circumstances require a rapid response. Note which roles and duties: 1) Can be done, even partially, without a physical presence in the workplace, 2) Cannot be done, even somewhat, outside of the physical office, and 3) Not sure.

You will need to challenge any potentially inaccurate default assumptions about specific jobs you may have thought couldn’t be done remotely. And for those in the “not sure” column, be willing to experiment. For example, for years, We’ve been told, “Helpdesk analysts can’t work flexibly.” And, for years, We have worked with teams of systems administrators to prove that is not true. Yes, certain tasks they complete require physical presence, but those can be planned for. The majority of their tasks can happen effectively outside of the traditional model of work and benefit the business. If you'll be using your mobile phone and video conferencing, you will also want to make sure you have a headset and maybe an external webcam, We also recommend that you test your vitual private network (VPN) before you leave the office. To do that, first disconnect from that office network, then turn on your mobile phone's WiFi hotspot, and connect to the corporate network that way. Make sure you can connect via VPN or gain entrance through whatever security measures your enterprise has in place. You also need to assess the comfort level with specific applications, such as video conferencing and other collaboration/communication platforms. Where you find gaps, provide training and opportunities for practice before people need to use them. Real-time mastery is not optimal and is inefficient. Identify devices owned by the organization that people could use and clarify acceptable “bring your own device” (BYOD), be it phone and laptop options. Determine if there are any data-security issues to consider and how best to address them beforehand. Your communications plan needs to outline: how to reach everybody (e.g., all contact information in one place, primary communication channels clarified — email, IM, Slack, etc.); how employees are expected to respond to customers; and how and when teams will coordinate and meet.

For management, pull out those rules and procedures you wrote up to deal with emergencies and crises, Figure out the way that you will communicate directives with employees. Determine what systems, communications, and processes you need to implement to continue on as an existing business entity serving customers and employees. After the flexible response period is over, this data will allow you to reflect on what worked, what didn’t, and why. The data will also prepare you in advance to answer the inevitable question once the crisis has passed, “Why don’t we do this all the time?” Depending upon the outcomes, you may decide to continue certain aspects of the flexible response permanently. For example, perhaps you cut business travel by 25% and substitute video conferencing. You determine afterward that about 80% of those meetings were equally as effective virtually. Therefore, a 20% decrease in business travel will continue, but this time as part of the organization’s sustainability strategy to cut carbon emissions. Global health emergencies, like Covid-19, are scary, disruptive, and confusing for everyone. And if you plan and nothing happens? Then, at minimum, you have an organized, flexible work disaster response ready the next time there’s a challenge to operational continuity, which chances are, there will be.

Statement of Requirements

The team at MEP Digital Systems is experienced in technical support, project management, technical sales and consultancy. In addition to excellent product and technical knowledge, we build effective relationships with customers and analyze business and technical requirements including developing solutions that meet those needs. We work with product development teams to customize products for individual customers, demonstrate products to customers and explain how the proposed product or solution meets customers’ needs. When customers have agreed to purchase a solution, we identify the services and support customers will need to make effective as well as productive use of products. We manage projects and put together installation programs that minimize disruption for customers including arranging training for IT users. We monitor the progress of product installations to ensure that they are successful, identify any recurring issues and recommend changes to products. We hold regular review meetings with customers to discuss any issues or problems and provide reports.

Technical account managers analyze customers’ support requirements and identify areas where the company can offer improved service or reduce support costs. By monitoring product performance and associated support needs, we identify opportunities to upgrade or modify products so that they meet customers’ needs more effectively. We provide reports on product performance and advise customers on new products or upgrades that may be suitable for their business. Once written, signed and accepted by all parties, the statement of requirements (SOR) delineates all of the milestones between beginning the project and delivering all of the modules of each stage of the endeavor, the SOR prevents a situation known as "scope creep," or constant changes in the components and deadlines of a completed contract. When creating SOR, we consider everything that all of the interested parties would expect to receive, including how to comply with applicable laws, regulations and customs. We spend time meeting with clients in order to have a full assurance that neither party has misunderstood anything.

We include SOR in project queries which consist of two main types: solicited and unsolicited. Solicited project queries include answers to calls for bids and requests for information. The statement of requirements for a solicited project query answers all of the points raised by the prospect client. Our unsolicited queries, on the other hand, include potential returns on any investments and what probable solutions we deliver quicker and more effective solutions. We create compelling offers with a clear call to action using unsolicited queries. Despite the fact that the client may have already provided their own needs assessment, the possibility exists that something vital to the project's success might not have occurred to the person who performed it. We therefore review every line of the assessment provided by the client, asking probing questions to ensure that we both have the same understanding of every term and condition. We identify all the deliverables and the responsibilities of the client and the contractor. We state how and when to expect invoices, purchase equipment and release funds at each stage of the operation. Each requirement should contain a single thought. The statement of work must also include the timeline for completion and who will verify that the work adhered to applicable laws and regulations. The goal is that everything left out on purpose cannot creep back into the project later and wreck the schedule of payments and deliverables.