Skip to main content

Change Control Policy

Version 1.2


The purpose of this policy is to ensure that all changes to University IT Resources minimize any potential negative impact on services and Users.


This IT policy, and all policies referenced herein, shall apply to all members of the University community including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.

Policy Statement

  • All University IT Resources changes must be documented per the Change Control Process.
  • All changes to University IT Resources must follow the Change Control Process to ensure appropriate approval, planning, and execution.
  • Change requests may not be required for non-production (e.g., DEV, Test, QA) environments unless there is a significant upgrade or an impact.
  • Production change requests must note that the change has been successfully applied, tested, and verified in a non-production environment when an applicable environment(s) exist.
  • Changes to production environments undergo impact examination before the submission of the change request per the Change Control Process. This information will be used to determine the impact of the change by considering:
    • The impact the proposed change will have on business services, if it is expected to cause a widespread outage, a loss of connectivity or functionality to a specific group or groups;
    • The risk involved in not making the change;
    • The risk if the change does not go as planned; and
    • Predictability of the success of the change.
  • Significant User experience changes must be conveyed to the Change Control Board (CCB) and communicated to the affected audience and IT Customer Care (ITCC).
  • Changes must be vetted for security implications through the participation of the University Information Security Office (UISO).
  • A lessons learned session should occur in the event of an incident during a change request.


Change Control is a systematic approach to managing all changes made to University IT Resources. The purpose is to ensure that no unnecessary changes are made, that all changes are documented, that services are not unnecessarily disrupted, and that resources are used efficiently.

IT Resources include computing, networking, communications, application, and telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and any related materials and services.

Related Policies and Procedures

Implementation Information

Review Frequency: Triennial
Responsible Person: Director, Innovation and Change Management
Approved By: CISO
Approval Date: April 15, 2019

Revision History

Version: Date: Description:
1.0 04/15/2019 Initial document
1.0.1 04/01/2020 Updated policy statement
1.2 06/02/2020 Updated change request document

Policy Disclaimer Statement

Deviations from policies, procedures, or guidelines published and approved by the University Information Security Office (UISO) may only be done cooperatively between the UISO and the requesting entity with sufficient time to allow for appropriate risk analysis, documentation, and possible presentation to authorized University representatives. Failure to adhere to UISO written policies may be met with University sanctions.