close

What Is Truth to Power?

[+] A research and advisory resource...

dedicated to bridging the gaps between governance and practice, technology and business, regulation and control, risk management and real market pressures, and your own knowledge and the knowledge of your peers.

[+] An open forum and community...

built to create a common pool of knowledge—one big brain—that lets you work more efficiently, build technology and business practices more effectively, and endure audits more effortlessly.

[+] A plexus nexus...

a neutral hub through which you can reach many valuable information nodes, resource collections, and organizations that are helping people like you already, but in fractured ways.

[+] A rebellion...

against the idea that auditors, analysts, and consultancies can control information simply through their ability to collect and distill it. T2P's goal is to unlock the vast body of knowledge, insight, and conventional wisdom that we all have, make it freely available to you, and help you digest and interpret it—without undue cost, bias, or hype.

Top Panel
WHAT IS T2P?
Top Panel
Submit in FaceBook
Submit Change%20Management%20%28Policy%29 in Google Bookmarks
Tweet this!
|
Print
E-mail
 
Change Management (Policy)
------- INDEX AND GLOSSARY. DO NOT CHANGE OR DELETE! ----------

Open IT Policy Index

-------------------------------------------------------------------------------------------------

Overview and Purpose

The Information Resources infrastructure at [variable: Covered Organization] is continuously expanding and evolving. There are more people dependent upon the network, more client machines, upgraded and expanded administrative systems, and more application programs. As the interdependency between Information Resources infrastructure grows, a strong change management process is essential to protect systems and data from unexpected failures in confidentiality, integrity, and availability.

From time to time each, Information Resource element requires an outage for planned upgrades, maintenance or fine-tuning. Additionally, unplanned outages may occur that may result in upgrades, maintenance, or fine-tuning. Managing these changes is also a critical part of providing a robust and valuable Information Resources infrastructure

The purpose of the Change Management Policy is to manage changes in a rational and predictable manner so that staff and clients can plan accordingly. Changes require serious forethought, careful monitoring, and follow-up evaluation to reduce negative impact to the user community and to increase the value of Information Resources.

Coverage

The [variable: Covered Organization] Change Management Policy applies to all individuals that install, operate, or maintain Information Resources.

Definitions

Change Models (Levels)

Scheduled Change: Formal notification received, reviewed, and approved by the review process in advance of the change being made.

Unscheduled Change: Failure to present notification to the formal process in advance of the change being made. Unscheduled changes will only be acceptable in the event of a system failure or the discovery of a security vulnerability.

Emergency Change: When an unauthorized immediate response to imminent critical system failure is needed to prevent widespread service disruption.

Policy

All [variable: Covered Organization] information systems must comply with an Information Resources change management process that meets the following criteria:

Every change to a [variable: Covered Organization] Information Resources resource such as: operating systems, computing hardware, networks, and applications is subject to the Change Management Policy and must follow the Change Management Procedures.

All changes affecting computing environmental facilities (e.g., air-conditioning, water, heat, plumbing, electricity, and alarms) need to be reported to or coordinated with the leader of the change management process.

A Change Management Committee, appointed by IS Leadership, will meet regularly to review change requests and to ensure that change reviews and communications are being satisfactorily performed.

A formal written change request must be submitted for all changes, both scheduled and unscheduled.• All scheduled change requests must be submitted in accordance with change management procedures so that the Change Management Committee has time to review the request, determine and review potential failures, and make the decision to allow or delay the request.

Each scheduled change request must receive formal Change Management Committee approval before proceeding with the change.

The appointed leader of the Change Management Committee may deny a scheduled or unscheduled change for reasons including, but not limited to, inadequate planning, inadequate backout plans, the timing of the change will negatively impact a key business process such as year end accounting, or if adequate resources cannot be readily available. Adequate resources may be a problem on weekends, holidays, or during special events.

Customer notification must be completed for each scheduled or unscheduled change following the steps contained in the Change Management Procedures.

A Change Review must be completed for each change, whether scheduled or unscheduled, and whether successful or not.

A Change Management Log must be maintained for all changes. The log must contain, but is not limited to:

  • Date of submission and date of change
  • Owner and custodian contact information
  • Nature of the change
  • Indication of success or failure

Enforcement

Violation of this policy may result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of [variable: Covered Organization] Information Resources access privileges, civil, and criminal prosecution.

Supporting Documentation

This policy is supported by the following rules, standards, and procedures:

[variable: internal documents (with links, if available)]

[variable: external documents (with links, if available)]

Policy Support Contact

[variable: title (not personal name) of role responsible for overseeing this procedure]

[variable: Contact information of office responsible for overseeing this procedure]

References

Copyright Act of 1976

Foreign Corrupt Practices Act of 1977

Computer Fraud and Abuse Act of 1986

Computer Security Act of 1987

The Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Policy Source Document(s)

State of Texas, Department of Information Resources
 
Hide comment form

Antispam Refresh image Case sensitive

T2P RECOMMENDS:

AuditNet logo
AuditNet is an online portal for auditors. Created and run by the venerable Jim Kaplan, the organization's mission is to develop a complete "utility" for audit-related information, products, and services.

T2P RECOMMENDS:

The BeyeNETWORK provides resources and professional community support for business intelligence, performance management, data warehousing, data integration and data quality.

T2P RECOMMENDS:

IIA Logo

The Institute of Internal Auditors (IIA) is a powerful research and guidance organization focusing on audit principles and processes for business and IT functions. IIA guidance related to information control includes the Global Technology Audit Guide (GTAG) series and the Guide to the Assessment of IT Risk (GAIT) series.