Change Control Policy

Version 2.0

For Students, Faculty, Staff, Guests, Alumni


The purpose of this policy is to ensure that all changes to University IT Resources minimize any potential negative impact on services and Users.


This IT policy, and all policies referenced herein, shall apply to all members of the University community, including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.

Policy Statement

  • All University IT Resources changes must be documented per the Change Control Process.
  • All changes to University IT Resources must follow the Change Control Process to ensure appropriate approval, planning, and execution.
  • Change requests may not be required for non-production (e.g., DEV, Test, QA) environments unless there is a significant upgrade or an impact.
  • Production change requests must note that the change has been successfully applied, tested, and verified in a non-production environment when a suitable environment(s) exists.
  • Changes to production environments undergo impact examination before submitting the change request per the Change Control Process. This information will be used to determine the impact of the change by considering:
    • The impact the proposed change will have on business services if it is expected to cause a widespread outage, a loss of connectivity, or functionality to a specific group or groups.
    • The risk involved by not making the change;
    • The risk if the change does not go as planned; and
    • Predictability of the success of the change.
  • Changes must be vetted for security implications through Information Security and Assurance participation.
  • Significant User experience changes must be conveyed to the Change Control Board and communicated to the affected audience and IT Service Desk.
  • A lessons learned session should occur in the event of an incident during a change request.


Change Control is a systematic approach to managing all changes to University IT Resources. The purpose is to ensure that no unnecessary changes are made, that all changes are documented, that services are not unnecessarily disrupted, and that resources are used efficiently.

IT Resources include computing, networking, communications, application, and telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and related materials and services.

Related Policies and Procedures

Implementation Information

Review Frequency: Triennial
Responsible Person: Director of Change Management
Approved By: CISO
Approval Date: April 15, 2019

Revision History

1.0  04/15/2019 Initial document
1.0.1  04/01/2020 Updated policy statement
1.2  06/02/2020 Updated change request document
1.3  03/03/2022 Updated policy statement
2.0  03/30/2023 Updated the Change Request in ServiceNow link

Policy Disclaimer Statement

Deviations from policies, procedures, or guidelines published and approved by Information Security and Assurance (ISA) may only be done cooperatively between ISA and the requesting entity with sufficient time to allow for appropriate risk analysis, documentation, and possible presentation to authorized University representatives. Failure to adhere to ISA written policies may be met with University sanctions. 

 Need Help?

Walk-In Centers

McShane Center 266 | RH
Leon Lowenstein SL18 | LC

View Our Walk-In Hours