Corporate ICT Change Management

Transcription

1 Policy Corporate ICT Change Management Please note this policy is mandatory and staff are required to adhere to the content Summary A formal change management system must be approved, implemented and enforced to ensure the controlled, secure and authorised installation, maintenance and upgrade of operating systems, applications software, application systems software and significant hardware and environment components. Table 1 - Document details Publication date February 2011 Review date January 2014 Related legislation/applicable section of legislation Related policies, procedures, guidelines, standards, frameworks Replaces ICT Security Policy February 2011 Policy officer (position) Manager, ICT Assurance Policy officer (phone) Policy sponsor (position) Executive director responsible (position and office) Applies to Key words Status Approved by Assistant Director, ICT Strategy & Relationships Executive Director, Infrastructure All DECD Employees ICT Change Management Approved Executive Director, Infrastructure Approval date February 2011 Version Corporate ICT Change Management February 2011

2 Table 2 - Revision record Date Version Revision description 2 Corporate ICT Change Management February 2011

3 Table of Contents Policy... 1 Corporate ICT Change Management... Error! Bookmark not defined. 1. Title Purpose Scope Policy detail Roles and responsibilities Monitoring, evaluation and review Definitions and abbreviations Supporting documents References...6 Appendix Corporate ICT Change Management February 2011

4 1. Title Corporate ICT Change Management 2. Purpose A formal change management system must be approved, implemented and enforced to ensure the controlled, secure and authorised installation, maintenance and upgrade of operating systems, applications software, application systems software and significant hardware and environment components. 3. Scope All DECD employees. 4. Policy detail General Formal change management procedures must be used to install new or modified operating, application or hardware systems into production and to decommission system components. Changes must be scheduled to minimise disruption to normal business In the event of an emergency a change may not always be scheduled, however procedures will ensure urgent changes remain controlled at all times. (Emergency procedures reflect normal management procedures with allowances for fast tracked solutions.) Documented Procedures Change management procedures must be documented, maintained and managed as formal documents. This documentation will include details including scheduling requirements, interdependencies with other systems, support contacts, restart and recovery procedures, customer notification requirements and any other special instructions. System Changes System changes must be classified against an established set of priorities and defined change categories. Change Authority The owners of the application systems and resources must provide the necessary authority and approval to the custodian of the systems and resources to enable changes to be performed. Change Process The custodian of the application systems and resources can only initiate the change to production on the authority of the owner of the system after the required testing, acceptance and quality assurance 4 Corporate ICT Change Management February 2011

5 approvals are obtained. Appropriate back-out procedures must be established prior to initiation to maintain controlled situations in the event of a change being cancelled. Cooperative Processing Changes must be reviewed and tested to ensure there is no adverse impact on the security or operation of any other infrastructure components or systems. Change Documentation Documentation of the changes applied to equipment, operating systems and information systems must be maintained for production systems and systems under development. The records must include the authorisation documents, library change logs, system logs, and management acknowledgments and approvals as appropriate. Change Review Evidence of the review of changes and the change process must be documented and maintained. Emergency Changes Where emergency changes to production systems and data are required, the event must be recorded and appropriate documentation and approvals obtained as soon as possible after the event. Failures must be investigated, causes identified and logged, and permanent changes implemented to prevent recurrence, in accordance with this policy. 5. Roles and responsibilities Table 2 - Roles and responsibilities Role Authority/responsibility for 6. Monitoring, evaluation and review 5 Corporate ICT Change Management February 2011

6 7. Definitions and abbreviations Table 3 - Definitions and abbreviations Term Meaning 8. Supporting documents The DECD Policy ICT Security is relevant and must be read in conjunction with this policy. 9. References N/A Appendix N/A 6 Corporate ICT Change Management February 2011