Information Technology Change Management Policy: IJ
PURPOSE:
From time to time, each information technology resource element requires an outage for planned upgrades, maintenance or fine-tuning. Additionally, unplanned outages may occur that may result in upgrades, maintenance or fine-tuning. Managing these changes is a critical part of providing a robust and valuable information technology resources infrastructure.
The purpose of the Information Technology Change Management policy is to manage changes in a rational and predictable manner so that SPC constituents can plan accordingly. Changes require serious forethought, careful monitoring, and follow-up evaluation to reduce negative impact to the user community and to increase the value of Information Technology Resources.
SCOPE:
The SPC Information Technology Change Management policy applies to all individuals that install, operate or maintain SPC information technology resources.
POLICY STATEMENT:
- Changes to SPC information technology resources such as operating systems, computing hardware, networks, and applications are subject to this policy and must follow the SPC-IS Change Management Procedures.
- All changes affecting computing environmental facilities (e.g., air- conditioning, water, heat, plumbing, electricity, and alarms) need to be reported to, or coordinated with, the appointed IRM liaison of the change management process.
- A formal written change request must be submitted for all changes, both scheduled and unscheduled.
- All scheduled change requests must be submitted in accordance with change management procedures so that the request may be reviewed to determine potential failures, or conflicts, and make the decision to schedule the request.
- Each scheduled change request must receive approval before proceeding with the change.
- The IRM or appointed representative may deny a scheduled or unscheduled change for reasons including, but not limited to, inadequate planning, inadequate back-out plans, the timing of the change will negatively impact a key business process, or if adequate resources cannot be readily available.
- System owners and/or system administrators may appeal a denied change request to the IRM.
- The IRM will convene the impacted members, system owners, system administrators and other stakeholders as agreed by the IRM and System Owner(s) to make the final determination for implementing or not implementing the requested change.
- Customer notification must be completed for each scheduled, or unscheduled, change following the steps contained in the Change Management Procedures.
- A Change Review must be completed for each change, whether scheduled or unscheduled, and whether successful or not.
- A Change Management Log must be maintained for all changes. The log must contain, but is not limited to:
- Date of submission and date of change;
- Owner and custodian contact information;
- Nature of the change; and
- Indication of success or failure including lessons learned.
DEFINITIONS:
Change Control: A formal internal control procedure to manage changes in a predictable manner so that SPC-IS and constituents can plan accordingly.
Change Review: A method involving performing an analysis of the problem, recommended solution, and back out procedure. Implementation should be monitored to ensure security requirements are not breached or diluted.
Information Resources Manager (IRM): Officer responsible to the State of Texas to manage SPC information technology resources. At SPC the IRM is the President of the college.
Outage: Planned or unplanned unavailability or decrease in quality of service due to expected downtime because of upgrades or maintenance or unexpected incidents.
System/Data Owner: Departmental position responsible for classifying business data, approving access to data, and protecting data by ensuring controls are in place.
Related Policies, References and Attachments:
An index of approved SPC-IS policies can be found on the SPC Information Technology Services Policies website at https://www.southplainscollege.edu/human_resources/policy_procedure materials, legal compliance guidelines, and policy enforcement are available in the IA-Policy Compliance Document. The SPC Information Security Program and SPC Information Security User Guide are also available on the Information Technology Services Policies website.
DIR Security Controls Catalog Control Group: CM-1
Approved by: Executive Council, December 9, 2019
Next Review: October 1, 2020