Policies of the University of North Texas Health Science Center

Transcription

1 Policies of the University of North Texas Health Science Center UNT Health IT Change Policy Chapter 14 UNT Health Policy Statement. It is the standard operating policy of UNT Health, UNTHSC Academic Information Resources and Technology (AIRT) - Information Technology Services (ITS) and AIRT - Health Information (HIM) divisions, that all configuration changes to UNT Health information resources that are classified as mission critical, be tracked and approved by an appropriate change authority and through the use of a documented change management process. The goal of this policy is to ensure that service availability is maximized, information security is preserved and that UNT Health business processes are not adversely disrupted by undesirable changes to information resources, while maximizing the productivity of persons involved in the planning, coordination, communication and implementation of quality changes. Application of Policy. This policy governs all UNT Health owned information resources that directly support the functioning of IT applications and/or services that are classified as mission critical. Specific IT applications and/or services that are currently defined as mission critical are listed within Appendix A. Any IT application and/or service not listed within Appendix A is considered out of scope of this policy. Information resources that provide general network, storage and processing capabilities that do not directly support UNT Health IT applications and/or services are excluded from this scope. Definitions. 1. Back-Out Plan - A detailed set of instructions to restore the application to its prior state before the change took place. This plan should be created by the Change Agent. Like the Implementation Plan, this must include sequence, tasks and roles need to restore the application. This plan must include communication to the CAB and Service Owners, which must include (at the minimum) when the back-out activities start and when they are finished. 2. Change Advisory Board (CAB) - The CAB is comprised of all current Service Owners and IT Operations Managers. 3. Change Agent - The individual making changes to the environment. 4. Communication Plan - This plan is primarily in place to notify the larger stakeholder or user community that the application is undergoing a change. The Service Owner should be responsible for the creation of the Communication Plan. It must include who will be sending the communication and when in the implementation it should occur. At the

2 very least, it must communicate that the application is undergoing a change, the availability (both up and down) and if a Back-Out Plan is underway. 5. Implementation Plan - A step by step plan, created by the Change Agent or Service Owner, to put the requested change into place. This plan will identify both the tasks and roles to perform them. This includes go/no-go decisions, escalation steps and when to execute a Back-Out Plan. Communication to the Service Owner and to the CAB must be included in this plan 6. IT Operations Manager - The IT operations manager is a management or technical lead position that is part of the IT service delivery organization (ITS). 7. Mission Critical - IT application, service or system that is vital to the operation of UNT Health which, if made unavailable would result in considerable harm to UNT Health and UNT Health's ability to fulfill its mission. 8. Service Owner - The Service Owner is a senior management position that has overall responsibility and provides oversight for an IT application or service. Multiple service owners may be assigned to a single IT application or service. 9. Test Plan - A plan created by the Change Agent or Service Owner that will verify that the change took place. This must define what is an adequate proof (screenshot, , log, sign off, etc.) that the Change Agent performed the change successfully. This must be written prior to the change and cannot be changed once the change request has been submitted. Procedures and Responsibilities. 1. The Change Agent is responsible for logging the requested application, service or system change within the UNT Health Change System and for providing the required documentation, as noted in the Change Classification, Procedures and Required Documentation chart located in Appendix A. Change Agent 2. Service Owners are responsible for classifying common changes that apply to each respective IT application or service and for validating and approving change requests. Service Owners must review the information provided in every change request in order to ensure that the changes are sufficiently researched, documented, planned and executed. Service Owners are also responsible for ensuring that the timing of change executions does not conflict with active business processes and other changes. A current list of Service Owners is contained within Appendix A of this policy. A current list of change classifications for common changes is contained within the Change Classification, Procedures and Required Documentation chart located in Appendix A of this policy. Service Owner

3 3. The IT Operations Manager is a management or technical lead position that is part of the IT service delivery organization (ITS). IT Operations Managers review changes to confirm technical completeness, accuracy of technical impact and risk analysis plans for final test, install, back-out and recovery, and identification and review of all technical dependencies. A current list of IT Operations Managers is contained within Appendix A of this policy. IT Operations Manager 4. The Change Advisory Board (CAB) is comprised of all current Service Owners and IT Operations Managers. The CAB is responsible for Reviewing and/or updating this policy at least annually. Ensuring that change management related policies and goals are correctly implemented and that required processes are correctly followed. The design, implementation and maintenance of the UNT Health Change System. Identifying & reviewing IT applications and services that are Mission Critical that fall under the scope of this policy (Appendix A). Current members of the CAB are within Appendix A of this policy. Change Advisory Board References and Cross-references. None Forms and Tools. Appendix A Change Classification, Procedures and Required Documentation Approved: May 13, 2014 Effective: May 13, 2014 Revised:

4 Appendix A Change Classification, Procedures and Required Documentation Change Classification Routine Description Tracking & Approval Prior Testing Required? A common change No. that has a low risk of a Routine change, and low impact, Change Agents are Prior testing is which follows an required to enter in recommended established process. these changes within but not This type of change the UNT Health required. is relatively common Change and is the accepted System for solution to meet a communication and specific set of tracking purposes. business Prior approval from requirements. Service Owners and/or IT Operations is not required. Approval is delegated to Change Agents. Required Documentation None. Standard A change that has medium risk and medium impact. Common Standard changes include changes to built-in application and/or system features including application configuration parameters, master files, user security permissions and minor bug fixes provided by the vendor. of a Standard change, Change Agents are required to enter these changes within the UNT Health Change System for approval, communication and tracking purposes. of a Standard change, approval must be obtained from designated Service Owners. Yes. Test Plan

5 Major Emergency A change that has high risk and high impact due to significant service impact and/or resources required to accomplish the change. Common major changes include application upgrades, systems wide process enhancements, redesign and/or new development. A change that must be introduced as soon as possible as a result of an urgent or critical event. This event must have significant impact on service. of a Major change, Change Agents are required to enter in these changes within the UNT Health Change System for approval, communication and tracking purposes. of a Major change, approval must be obtained from designated Service Owners & IT. Change Agents are authorized to execute an emergency change without prior approval. Full documentation must be submitted via the UNT Health Change System upon abatement of the crisis and within 48 hours of the change. Yes No. Test Plan Implementation Plan Back-out Plan Stakeholder Communication Plan Depends on final classification of emergency change. Documentation requirements for respective Routine, Standard or Major classifications will apply. All emergency changes will follow the Routine, Standard or Major classifications that were previously defined.

6 Mission Critical Applications and Services Application/Area Environment Class Notification Service Owner IT Operations Manager NextGen Major Upgrade Production Major All Director, Process Improvement Director, IT Infrastructure & Security Production Standard All NextGen Template (New/Modification) Non-Production Routine All NextGen Rosetta Production Standard All Director, Process Improvement Director, IT Infrastructure & Security Non-Production Routine NextGen Customization (Database) Production Standard All Director, Information Services Non-Production Standard All Director, Information Services NextGen Customization (Server) Production Standard All Director, IT Infrastructure & Security Non-Production Standard All Director, IT Infrastructure & Security Director, IT Infrastructure & Security Non-Production Standard All NextGen Database Refresh Director, Information Services Production Standard All Controller, UNT Health NextGen Preferences/Configuration Non-Production Standard All Controller, UNT Health NextGen Host/Server/DB Production Standard All Director, IT Infrastructure & Security Maintenance Non-Production Standard All Director, IT Infrastructure & Security Clinical/Financial Reporting (Non- NextGen) Production Routine All Controller, UNT Health Director, Information Services Epicor/Vision Production Standard All Controller, UNT Health Director, Information Services Epicor/Vision Host/Server/DB Maintenance Production Standard All Director, IT Infrastructure & Security