Change Control Policy
The purpose of this policy is to ensure that all changes to University IT Resources minimize any potential negative impact on services and Users.
This IT policy, and all policies referenced herein, shall apply to all members of the University community, including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.
- All University IT Resources changes must be documented per the Change Control Process.
- All changes to University IT Resources must follow the Change Control Process to ensure appropriate approval, planning, and execution.
- Change requests may not be required for non-production (e.g., DEV, Test, QA) environments unless there is a significant upgrade or an impact.
- Production change requests must note that the change has been successfully applied, tested, and verified in a non-production environment when a suitable environment(s) exists.
- Changes to production environments undergo impact examination before submitting the change request per the Change Control Process. This information will be used to determine the impact of the change by considering:
- The impact the proposed change will have on business services, if it is expected to cause a widespread outage, a loss of connectivity or functionality to a specific group or groups;
- The risk involved in not making the change;
- The risk if the change does not go as planned; and
- Predictability of the success of the change.
- Changes must be vetted for security implications through the participation of Information Security and Assurance (ISA).
- Significant User experience changes must be conveyed to the Change Control Board (CCB) and communicated to the affected audience and IT Service Desk Level 1.
- A lessons learned session should occur in the event of an incident during a change request.
Change Control is a systematic approach to managing all changes made to University IT Resources. The purpose is to ensure that no unnecessary changes are made, that all changes are documented, that services are not unnecessarily disrupted, and that resources are used efficiently.
IT Resources include computing, networking, communications, application, and telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and related materials and services.
Related Policies and Procedures
- CMB (EasyVista) Instructions
- Change Control Process
- Patch Management Policy
- Vulnerability Management Policy
|Responsible Person:||Director, Innovation and Change Management|
|Approval Date:||April 15, 2019|
|1.0.1||04/01/2020||Updated policy statement|
|1.2||06/02/2020||Updated change request document|
|1.3||03/03/2022||Updated policy statement|
Policy Disclaimer Statement
Deviations from policies, procedures, or guidelines published and approved by Information Security and Assurance (ISA) may only be done cooperatively between ISA and the requesting entity with sufficient time to allow for appropriate risk analysis, documentation, and possible presentation to authorized University representatives. Failure to adhere to ISA written policies may be met with University sanctions.