February 2008 Tech Talk
GTAG Guide 2 - Change and Patch Management Controls: Critical for
GTAG (Global Technology Audit Guide) – Guide 2 addresses a critically important piece of any
business - change and patch management controls. The IIA titled this GTAG appropriately.
Without strong, underlying management of what changes or patches are being applied to your
company’s information systems, you are inviting failure to your organization’s door.
This guide examines these controls from several perspectives in terms of their impact on the
organization and the information systems area. One of the biggest risks mentioned is the risk of
unauthorized changes. We should all become aware of how detrimental unauthorized changes to
our information systems can and would be. Unauthorized changes could lead to anything from
criminal activity and major regulatory compliance issues down to wasted time and effort to
correct inaccuracies. That is a wide range or risks, that need to be and can be addressed by
starting in one place – auditing change and patch management controls.
Applying patches to systems is a critical activity to address the dynamic threats that exist, but
applying patches to systems without a sound system of controls is a good way to render your
systems inoperable. Take the time to read through this guide. The time you spend will be well
worth it to you and your organization. An audit program is included within the guide.
The link to GTAG – Guide 2 is: http://www.theiia.org/guidance/technology/gtag/gtag2/