The Need for Effective Change Management

Introduction

Over the last few years there has been an ever-increasing number of widely publicised problems involving notable corporate organisations and the failings of their IT systems.  Incidents of ransomware, hacking and phishing are becoming worryingly commonplace. As the mainframe is often the central hub to many organisations, particularly in the financial market, supporting a wide range of integrated peripheral platforms — onsite, hybrid cloud and mobile — maintaining the mainframe to operate optimally, whilst ensuring integrity, security and regulatory compliance, is no insignificant task.

Keeping the Engine Running Whilst Maintaining Regulatory Compliance

Periodic updates and new version releases to z/OS, associated hardware and firmware, industry specific applications and third-party add-on applications all need to be carefully orchestrated in order to keep the engine running smoothly and uninterrupted. This means any changes need to be authorised, scheduled, tracked and backed up.  

CORA (Corporate accountability), DORA (Digital Operational Resilience Act), GDPR, and SOX regulations (to name but a few) all require that this activity must be carried out under the umbrella of stringent ICT (Information and Communications Technology) controls to be able to prove to external and internal auditors that processes and mechanisms are in place to ensure corporate compliance accountability.

The FCA (Financial Conduct Authority), whilst not directly attributable to the above regulations, issued £123,911,524.45  of fines in 2025 alone (https://www.fca.org.uk/news/news-stories/2025-fines). DORA came into effect only in January 2025 – there is still plenty of time and abundant opportunity for incurring very large fines.

Unless you have a strict authorisation process in place that controls who, what and when changes can be made on your system, then anyone with UPDATE authority could potentially make disastrous changes and invalidate any audit.

Meeting the Effective Change Management Challenge 

Identity and Access Management (IAM) and Privileged Access Management (PAM) solutions are parts of the change management jigsaw, and are essentially formalizations of best practices for security and audit. As such, they provide some security and ICT compliance.  

Frequently, these IAM and PAM systems are combined with separate paper-based or electronic change request and approval systems such as an internal IT support desk system. This system typically raises a support ticket (change request) and routes it through an approval process and/or the granting of privileged access. This may be the end of that process with the ticket being closed off at this stage, without any integrated or automated tracking and control of the actual change made and subsequent removal of privileged access. 

Security Information and Event Management (SIEM) solutions are another, separate, part of the jigsaw that organizations are now utilising to aggregate and analyse events across their IT infrastructure.  There are significant challenges, though, in transmitting mainframe event data to these products due to the unique attributes of mainframe data, such as EBCDIC character encoding and unique number representation formats, as well as security environments that are unlike those of other platforms. Mainframe event data needs to go through numerous transformations to be acceptable by a SIEM.

As the above demonstrates, there are many ways to draw together various separate parts of the change management jigsaw to provide a solution.  The challenge, though, is that whilst these tools address some of the issues, there can be a disconnect between a change request authorisation and the actual change that was authorised, i.e., granular access to files and data, and with the ever-present opportunity for unintentional human mistakes. The requesting user obtains approval and authorization for what they say they will do, not necessarily what they actually do. 

Clearly what is required is a single application covering all aspects of the above, linking out where required via APIs to specific peripheral applications and providing a real-time, comprehensive, granular and flexible solution.

Example!

Without an active real-time change management product installed, a user could be granted UPDATE access to a file, dataset or directory.  Ensuring secure member level access, though, can be more complicated. The user could make multiple changes, the first being manipulative code which is executed immediately, to then be replaced with the correct change. IAM/PAM can’t prevent this and SIEM products react far too late.  Also, without scheduling control, the user could have unlimited time access until the authorisation is closed.

So, …who is Responsible?

Change management touches many parts of an organisation — not just the IT department. Managers and their teams from the following work areas can be involved in various important ways:

• Security
• Risk Management
• Internal and External Auditing
• Compliance
• Change Management Team
• System Programming
• Networking
• Operations
• Application Groups

It is ultimately the ‘C-suite’, though, that will bear the brunt of any problems arising from system modifications as a result of unauthorised changes. It is essential that the upper tiers of an organisation not only “buy into” the change management challenge, but also personally ensure that the right controls are in place before a problem arises.

What are the Consequences of Inaction?

The Digital Operational Resilience Act (DORA), which became enforceable in the EU on January 17, 2025, introduces strict penalties and fines for financial entities and their critical third-party ICT service providers that fail to comply with new digital security standards. 

Key Fines and Penalties:

• Financial Entities: Institutions failing to comply may face fines of up to 2% of their total annual worldwide turnover or, in some jurisdictions, up to 10%.
• Critical Third-Party Providers (CTPPs): Providers deemed critical can face fines of up to €5 million for non-compliance, as well as periodic penalty payments of up to 1% of their average daily worldwide turnover for up to six months.
• Individual Liability: Senior management can be held personally responsible, with potential fines of up to €1 million.
• Additional Sanctions: Beyond financial penalties, regulators may issue public “naming and shaming” announcements, order remedial measures, or suspend services.

The Plan of Attack

“The best form of defence is attack”, a concept attributed to military thinkers like Carl von Clausewitz (On War) and Sun Tzu (The Art of War), emphasizes that being proactive and launching an offensive strategy is more effective than passively waiting to defend. The offensive approach forces opponents onto the back foot and gains strategic advantage. Additionally, repairing a breached defensive stance can be costly in terms of time, money and resources.

There are endless papers and discussions on Mainframe protection via cyber security, threat Identification using SIEM products, ITIL-driven processes and many more variations on this theme. All these papers fall into two major categories:

1. The first is control of the system on trust. These types of control are usually ITIL-based or rely on a Change Management system that has no active controls, in other words, riding the wind on a hope and a prayer.
2. The second is the rising use and reliance on SIEM products that take data from all types of sources and analyse this data, the idea being to identify illegal cyber-attacks, penetration attacks and unwanted or unauthorised changes. This is clearly working in hindsight to identify something that has already happened, and which potentially has already corrupted or destroyed your mainframe system. A case of shutting the stable door after the horse has bolted.

What is required is a single, real-time, integrated, active systems management product that automatically and transparently traps events in z/OS systems that has a:

• Tracking Mode — Provides backups, statistics, comparisons and backout ability for changes that have been made.
• Control Mode — Enables additional layers of protection to prevent unauthorised and/or undocumented changes, as required by GDPR and SOX. These layers, any combination of which can be used, are:
• Controls down to the member level
• Change Request required
• Authorisation (single or multiple) required
• Scheduling required
• Can be restricted to a single change

If the requirements aren’t met, the change will be prevented. This results in no undocumented or unauthorised changes.

• SAM (Software Asset Management) — Allows blocking potential execution of a product on an unlicensed or unauthorised LPAR, thereby enforcing contractual obligations.
• Alerts — If changes are made to critical resources, then Alerts can be issued via E-mail or Messaging.
• Audit Trail — Is comprehensive for all changes whether under Change Management control or not.

Conclusion

The absence of an active real-time change management product on your mainframe z/OS systems results in the following:

• Under CORA, DORA, SOX, GDPR, etc., the systems are almost certainly non-compliant
• There is an increased risk to the systems being penetrated, leading to loss of data, availability or even the whole system
• Damage to the reputation of your company 
• Potentially massive fines that can exceed the cost of implementing a solution by an order of 10 or more.