Change Control Policy
Version 2.0
For Students, Faculty, Staff, Guests, Alumni
Purpose
The purpose of this policy is to ensure that all changes to University IT Resources minimize any potential negative impact on services and Users.
Scope
This IT policy, and all policies referenced herein, shall apply to all members of the University community, including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.
Policy Statement
- All University IT Resources changes must be documented per the Change Control Process.
- All changes to University IT Resources must follow the Change Control Process to ensure appropriate approval, planning, and execution.
- Change requests may not be required for non-production (e.g., DEV, Test, QA) environments unless there is a significant upgrade or an impact.
- Production change requests must note that the change has been successfully applied, tested, and verified in a non-production environment when a suitable environment(s) exists.
- Changes to production environments undergo impact examination before submitting the change request per the Change Control Process. This information will be used to determine the impact of the change by considering:
- The impact the proposed change will have on business services if it is expected to cause a widespread outage, a loss of connectivity, or functionality to a specific group or groups.
- The risk involved by not making the change;
- The risk if the change does not go as planned; and
- Predictability of the success of the change.
- Changes must be vetted for security implications through Information Security and Assurance participation.
- Significant User experience changes must be conveyed to the Change Control Board and communicated to the affected audience and IT Service Desk.
- A lessons learned session should occur in the event of an incident during a change request.
Definitions
Change Control is a systematic approach to managing all changes to University IT Resources. The purpose is to ensure that no unnecessary changes are made, that all changes are documented, that services are not unnecessarily disrupted, and that resources are used efficiently.
IT Resources include computing, networking, communications, application, and telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and related materials and services.
Related Policies and Procedures
- Change Control Process
- Change Request in ServiceNow
- Patch Management Policy
- Vulnerability Management Policy
Implementation Information
| Review Frequency: | Triennial |
|---|---|
| Responsible Person: | Director of Change Management |
| Approved By: | CISO |
| Approval Date: | April 15, 2019 |
Revision History
| Version | Date | Description |
|---|---|---|
| 1.0 | 04/15/2019 | Initial document |
| 1.0.1 | 04/01/2020 | Updated policy statement |
| 1.2 | 06/02/2020 | Updated change request document |
| 1.3 | 03/03/2022 | Updated policy statement |
| 2.0 | 03/30/2023 | Updated the Change Request in ServiceNow link |
Policy Disclaimer Statement
Deviations from policies, procedures, or guidelines published and approved by Information Security and Assurance (ISA) may only be done cooperatively between ISA and the requesting entity with sufficient time to allow for appropriate risk analysis, documentation, and possible presentation to authorized University representatives. Failure to adhere to ISA written policies may be met with University sanctions.