The University of Texas Pan American. Change Management Standard and Procedures. Division of Information Technology

Transcription

1 The University of Texas Pan American Change Management Standard and Procedures Division of Information Technology Page 1

2 Table of Contents Introduction... 3 Purpose... 3 Scope... 3 Procedures... 3 Communication... 4 Change Committee... 4 Emergency Change... 4 Planned Change... 4 Approve Change... 5 Implement Change... 5 Document Change... 6 Definitions... 6 Review... 7 Page 2

3 The University of Texas-Pan American Change Management Standard and Procedures A. Introduction The Information Resources infrastructure at The University of Texas-Pan American (UTPA) is dynamic in nature and is constantly changing to meet the mission of the University. Maintaining and preserving the highest possible levels of availability of Information Resources is a fundamental goal at UTPA. The Change Management Standard and Procedures serves as a supplement to The University of Texas-Pan American s Information Resources Security Operations Manual and UT System Policy 165 (UTS165). B. Purpose The purpose of this document is to set forth change management processes to ensure secure, reliable, and stable operations to which all offices that support Information Resources are required to adhere. The Change Management Standard and Procedures also ensures that all changes to Information Resources (e.g., computer hardware, computer software, operating systems, applications, database, data, network, security, and telecommunications) occur in a rational and predictable manner and within a controlled environment so that planning can occur accordingly. In addition, the standard serves as a vehicle for identifying, communicating, planning, testing, approving, implementing, and documenting changes to UTPA s Information Resources. C. Scope This document applies to any action or change that affects any production or associated environment systems that house UTPA s Information Resources, including but not limited to all UTPA workforce members (e.g., faculty, staff, student workers, interns, contractors, vendors, consultants, volunteers, etc.) who own, operate, or maintain information resources. D. Procedures Every change to UTPA Information Resources including computer hardware, computer software, operating systems, applications, database, data, network, security, and telecommunications systems is subject to the Change Management standard and must follow all applicable Change Management Procedures. A change request should be made for all scheduled and unscheduled changes using the Information Technology Change Request Form. Page 3

4 All changes affecting computing environmental facilities (e.g., air-conditioning, water, heat, plumbing, electricity, and alarms) should be coordinated with and reported to the appropriate college, school, unit or department managing the systems in that facility. Communication Communication before, during, and after the change is a key component of the change management process. Adequate information and advance notice for change request should be provided, especially if a response is needed. It also should be clear whom people should respond to, if a response is expected. Change Management Change Committee The Change Management Committee (CMC) is charged with reviewing and approving changes for implementation in the Production environment. Change Management Committee membership is appointed as specified in the Change Management Committee Charter. Change Manager The Change Manager will review and approve changes that have been pre-approved by Change Management Committee. The Change Manager will escalate all other changes to the CMC for review and approval. Responsibilities of the Change Manager include the following: Authorizing proposed changes that have been pre-approved by the CMC Submitting proposed changes to the CMC that have not been previously preapproved by the CMC Verifying that the documentation has been adequately prepared Verifying that the appropriate test plan has been successfully completed and documented Verifying that sign-off documents have been completed Verifying and authorizing the back-out plan Verifying the test results of the back-out plan Communicating the outcome of the change request to the initiator and stakeholders Emergency Change An emergency change may occur when a critical service is down or severely impaired with disruption to business and/or student activities. Regardless of the urgency of the situation, the data owner, custodian group representative, and Vice President for Information Technology must give approval when an emergency change is required between Change Management Committee meetings. Emergency changes that have been implemented must also be classified, documented, and presented to the appropriate Change Management. Page 4

5 Break/Fix changes required outside normal business hours will be handled by the assigned staff, documented and reported on the next business day to the appropriate Change Management. Planned Change When planning the change, the initiator and Change Manager are responsible for the following: Determining if the change is an emergency or a planned change Identifying the need for changes to production system Presenting the change request to the appropriate Change Management Determining the timeframe for the change Working with the appropriate group to schedule the planned change Identifying the individuals involved in testing the change Maintaining communications with stakeholders as the change progresses from inception to implementation Assuring that approvals occur within the needed timeframe; alternatively, obtaining alternate approvals Verifying and documenting the outcome of the changes and rating their success Test Change Every change must have a verification plan which will assure the change will be made successfully. The verification plan may include pre-testing in a test environment, or alternatively breaking the change into sufficiently small increments that can be tested in off-hours using production environments. The results will be documented and verified as part of the change management process. The individual testing the change is responsible for the following: Developing an appropriate test plan Developing appropriate verification plan Identifying any inadvertent consequences that might result in stability or security issues Verifying successful test results: resolving and re-testing any issues Documenting test results Communicating test results to the data owner and the appropriate Change Management for final approval of the change Developing, testing and documenting a back-out plan Verifying back-ups beforehand when production environments are used. Page 5

6 Approving Change The change request, test results and sign-off document must be presented to the appropriate Change Management for review of the change to be implemented. A meeting with the initiator and Change Management Committee may be necessary to review the requested change. If a meeting is required, the initiator must be present to answer any questions or address any concerns the Change Management Committee may have. The Change Management Committee should assess the risks and benefits of either making the change or not making the change. The Change Management Committee reserves the right to alter the change plan, make recommendations and/or send it back for revisions, if the change proposal is unacceptable or requires additional work. Implement Change The Change Management Committee authorizes the change that is to be implemented. Only changes that have been approved may be implemented in a production environment. The implementation team is responsible for the following: Obtaining authorization from the appropriate Change Management to migrate the change Ensuring adequate staff is available to migrate the change Communicating the migrated change to the appropriate Change Management Migrating successfully tested changes to the production environment Document Change All change requests must be formally documented, classified, and prioritized to ensure they are planned for accordingly. The Initiator, Data Owner, Custodian, Change Management and those involved in the Change Management Process are responsible for reviewing the documented changes for correctness, completeness, and adherence to standards and procedures. The Information Technology Change Request Form contains detailed information about the change and is required for changes submitted to the Change Management Committee. A change request log must be maintained and published for awareness that a change is being or has been implemented. A change log must include at least the following: Date of submission and date of change Data Owner and custodian contact information Nature of the change Page 6

7 Indication of success or failure Status of change Change Control Documentation Change control documentation such as diagrams, schematics, processes must be maintained in a current state (i.e., all documentation must be updated before the change request can be closed). E. Definitions Change: Any addition, modification or update of an Information Resource that can potentially impact the operation, stability, or reliability of a University network or computing environment. Change Management: The process of controlling the communication, approval, implementation, and documentation of modifications to hardware, software, and firmware to ensure that information resources are protected against improper modification before, during, and after system implementation. Change refers to: Any implementation of new functionality Any interruption of service Any repair of existing functionality Any removal of existing functionality Change Management Committee: Group of people appointed to review, approve/reject a change request. Change Manager: Individual responsible for any and all changes within his or her area of responsibility. Custodian: Guardian or caretaker; the holder of data, the agent charged with implementing the controls specified by the owner. The custodian is responsible for the processing and storage of information. The custodians of information resources, including entities providing outsourced information resources to the University, must: Implement the controls specified by the approved change request Provide physical and procedural safeguards for the information resources Assist owners in evaluating the cost-effectiveness of controls and monitoring Implement the monitoring techniques and procedures for detecting, reporting, and investigating incidents. Custodians include Information Security Administrators, University information technology/systems departments, vendors, and any third party acting as an agent of or otherwise on behalf of the University. Page 7

8 Data Owner: The manager or agent responsible for the function that is supported by the resource or the individual upon whom responsibility rests for carrying out the program that uses the resources. The owner is responsible for establishing the controls that provide the security. The owner of a collection of information is the person responsible for the business results of that system or the business use of the information. Where appropriate, ownership may be shared by managers of different departments. Information Resources (IR): Any and all computer printouts, online display devices, mass storage media, and all computer-related activities involving any device capable of receiving , browsing Web sites, or otherwise capable of receiving, storing, managing, or transmitting data including, but not limited to, mainframes, servers, personal computers, notebook computers, hand-held computers, personal digital assistant (PDA), pagers, distributed processing systems, network attached and computer controlled medical and laboratory equipment (i.e. embedded technology), telecommunication resources, network environments, telephones, fax machines, printers and service bureaus. Additionally, it is the procedures, equipment, facilities, software, and Data that are designed, built, operated, and maintained to create, collect, record, process, store, retrieve, display, and transmit information. Initiator: Individual(s) who initiate a change request and is/are responsible for the specific change from the moment it is requested until its implementation. The individual(s) is/are responsible for in-depth understanding of the nature of the change and must be present at any meeting held to approve/reject the change. Scheduled Change: Formal notification received, reviewed, and approved through the review process in advance of a change being made. Unscheduled Change: Failure to present notification through the review process in advance of the change being made. Unscheduled changes will only be acceptable in the event of a system failure or the discovery of security vulnerability. F. Review The Vice President for Information Technology and Information Resource Manager shall review this standard as needed and deemed necessary. Page 8