COMPANY Change Control Policy

  • Purpose
    • Many, if not most, failures of computing systems and services are caused by the unintended consequences of configuration changes. Formal change control programs manage the risk of these consequences by ensuring that change is thought out, goes through appropriate approvals, and informs those whom might be affected.
    • The purpose of this policy is to implement a formal change control program for all computing systems and services in the COMPANY.  
  • Definitions
    • Change Control Program is the formal process and workflow, defined in this document, used to manage change for the COMPANIES computing systems and services.
    • Systems and Services
      • Service
        • Is one or more computing systems used to accomplish a business goal
        • The computing implementation of a business process
      • System
        • Is a collection of computers, devices and other systems and services used to provide a service
      • Associated Systems
        • Is a system or service that affects another service or is dependent on another service.
        • Change to a service may affect an Associated System
        • Change on a Associated System may affect a service
      • Change Control Service
        • A computing service used to manage the work flow of the Change Control Program
        • A repository of all change control records
    • Roles
      • Authorizing Official
        • The manager of the business process dependent on a computing service
        • Business manager whom authorizes and fields a particular computing  service
        • The person whom is responsible to budget for the service
        • The person responsible for the consequences of the service
      • System Owner
        • The technical manager of a system
        • The person responsible for the correct configuration and operation of the system
        • The person who directs other technical people in the correct configuration and operation of the system
      • Associated Owners of Interest
        • The Authorizing Official of a Associated System
        • The System Owner of a Associated System
      • Users
        • People who use the services as part of a defined business process
      • Change Control Manager
        • System Owner of the Change Control Program and the Change Control Service
  • Responsibilities
    • Authorizing Official
      • Responsible for the consequences of the service
      • Responsible for the  budget of the service
      • Responsible for the security, privacy, usability and performance of the service
      • Responsible for the management of the System Owner's performance as it pertains to the service
      • Responsible to insure the System Owner follows all policies, laws, and regulations
      • Responsible to insure the System Owner uses this Change Control Program to manage change of the service
      • Must be an individual with a specific role reporting to senior management
      • Responsible to decide when a service should be put into production or taken out of production
    • System Owner
      • Responsible to design, operate, configure and maintain the service to accomplish the business goals
      • Responsible to ensure that proper change control in implemented over the service
      • Responsible to design a implementation plan that may include detailed instructions for pretesting, implementation and post-testing.
      • Responsible to determine who needs to be informed or participate in the decision to change a service
      • Responsible to insure the communications happens and that they are copied into the Change Control Service
      • Responsible to insure the Service follows all policies, laws and regulations
      • Determines what changes need to be made
      • Determines what testing procedures need to be implemented before a particular change is made
      • Determines what testing procedures need to be implemented after a service has been changed and released back into production
      • Determines what level of design detail should be entered into the Change Control Service
    • Associated Owners of Interest
      • Responsible to inform other Associated Owners of Interest of change that might affect them
      • Responsible to review and understand change control request from other systems to determine their effect
    • Users
      • Responsible to take note, and to take action if required, to all change control communications
    • Change Control Manager
      • Design, implement and maintain the Change Control Program
      • Design, implement and maintain the Change Control Service
      • Monitor and enforce this Change Control Policy
      • Act as the System Owner for the Change Control Service
  • Procedures
    • Request for Change
      • Requester fills out Change Request form at the Change Request Service to the best of their ability
        • Must contain valid Requester Name and contact information
        • Must identify service or system to be changed
        • Must contain a description of the requested change
        • May contain technical system specifics
    • Emergency Notification for Change
      • Sometimes there is no time to request change. This kind of change is very dangerous because mistakes often happen under pressure, but there are some circumstances when a change must happen quickly. 
      • These are the only reasons for a System Owner (or his delegate) to bypass the normal change process and implement an Emergency Notification for Change
        • The system is down or unavailable or it is reasonable to believe it will become so.
        • The system is compromised, or about to be compromised, and as part of the formal incident response it is determined to change or shutdown the service. 
          • See the Incident Response Policy and the System's Incident Policy for details
          • An order, but not a request, from a law enforcement officer is covered under the formal incident response plan and is considered an emergency
        • A reasonable belief that a crime is being, or about to be, committed
        • A reasonable belief that it is a violation of policy, contract or law to continue to allow the system to run unchanged
        • A reasonable belief than sensitive or confidential information will be disclosed if the system is unchanged
        • A reasonable belief that someone might be harmed if the system is not changed
        • A reasonable belief that the system is harming, compromising or leaking another system's data and that this system should be changed to protect the other system
      • All Emergency Notifications must be documented in a Change Request ticket
        • Must include everything a normal Change Request does
        • Must include one of the above reason why the change was an emergency
        • Must include an explanation why one of the above reasons applied
        • Must be completed as soon as reasonably possible
    • Change Implementation Plan
      • Each change control should have an implementation plan
      • Small changes can be documented in the change control ticket
      • Larger changes can be documented in a project plan elsewhere
        • Put a link in the ticket
        • Document high level changes for large projects in the ticket
      • The implementation plan should include what tests need to be done to ensure that the change is successful. 
      • The implementation plan should include a back out plan.
    • Change Approval Process
      • The person who is responsible for the change should insure that everyone affected is notified.
      • Big changes require formal approval.
      • Small changes can be self approved but must be documented before implementation.
    • Violation of Change Control Policy
      • A violation of the change control policy is a security violation
      • Security violations are investigated under the Incident Response Plan
    • New services introduced into Change Control
      • New services should be announced in the change control system
        • Description of the service
        • Who owns and Operates the service
        • Who are the customers
        • What interconnects are there
        • Governance
        • Implement change control fields in the change control system.