Policy Number: IT-02
Effective: 11/19/2015
Last Revised: 10-16-2017
Responsible Executive: Executive Vice President & CFO
Contact Information: 765-677-2605
Change Management Policy
I. Scope
This policy applies to all changes to information technology services provided by UIT. Any changes to non-priority IT components, such as non-production systems, testing/development environments, and UIT-owned resources, are not in scope of this policy.
II. Policy Statement
All changes to in-scope systems and applications must be processed through the change management process to ensure adequate and appropriate planning, testing, and execution. In-scope changes will be categorized as one of three types of changes:
Standard Changes
Low risk changes with well-understood and predictable processes and outcomes based on a defined trigger. Standard changes are pre-authorized; thus, may be executed in accordance to the approved, documented requirements.
Standard changes must be documented to the degree possible and as required by the Change Advisory Board (CAB) with the type of change, the timing of such changes, and approval from the CAB. All standard changes must be processed through the change management process as a normal change prior to being established as a standard change. Once approved as a standard change, the changes may take place without progressing through the CAB and change management process; however, the CAB may request each instance to be calendared or other documentation to be created as necessary.
Normal changes
Medium or high risk or impact changes that must proceed through the complete change management process.
All normal changes must be presented to and unanimously approved by the CAB in the form of a Change Request in iSupport prior to implementation to in-scope, production systems. See IWU Change Management Process.
Emergency Changes
Changes to address a threat to the University or repair an issue with an IT system or service. Very few changes are considered emergency changes. Failure to plan is NOT an emergency.
Emergency changes are to be authorized by two CAB members or by the CIO and one CAB member. A change request must be completed and documented post-implementation, if an abbreviated request cannot be created pre-implementation.
III. Reason for the Policy
Change management aids in establishing and maintaining stable and secure information systems for all University Information Technology (UIT) customers. This is accomplished through standardized processes and procedures to track and approve all requested changes to in-scope, production information assets. Through the change management process, the following five risk indicators should be mitigated:
- Unauthorized changes
- Unplanned outages
- Low change success rate
- High number of emergency changes
- Delayed project implementations
IV. Procedures
Change management must adhere to the following general process:
- Planning: At a minimum, planning must include scope, audience, implementation design, schedule, communication plan, testing plan, and back-out plan.
- Evaluation: The evaluation should include an impact analysis, risk analysis, and the change type. The following questions should be answered to complete the impact analysis:
|
Yes |
No |
Has this change been conducted before? |
+0 |
+1 |
Is this change simple to make? |
+0 |
+2 |
Does UIT have a clear understanding of what the change will do? |
+0 |
+2 |
Will the outcome of change be noticeable to customers? |
+1 |
+0 |
Could this change impact other services? |
+2 |
+0 |
Could this change potentially result in an extended service interruption? |
|
|
The resulting scores of the impact analysis should be used to measure the risk according to the following matrix:
System(s) Impacted \ Risk Score |
Low (score 0-1) |
Medium (Score 2-3) |
High (Score 4+) |
Business-facing |
Standard |
Normal |
Normal |
Infrastructure |
Standard |
Normal |
Normal |
UIT only |
Standard |
Standard |
Standard |
- Review: The CAB reviews the change request in the weekly CAB meeting.
- Approval: The CAB approves or rejects the change.
- Communication: The project manager executes the communication plan.
- Implementation: Implement the change according to the plan and any advice given by the CAB.
- Testing: Execute the testing plan.
- Documentation: Document the outcome of the change and testing.
- Post-mortem review: At the discretion of the CAB, a review of the change with applicable stakeholders for future improvements may be requested.
All change requests will be documented in iSupport according to the Change Management Process.
The CAB will meet on a weekly basis with required attendance for each functional area within UIT. Each member of the CAB is responsible for reviewing each change request for the following two weeks prior to the weekly CAB meeting. Primary membership consists of the following individuals or their assigned representative with voting rights:
- Information Security Officer (Chair)
- Director of User Services (Backup chair)
- Director of Software Development
- Director of Infrastructure
- IWU-Marion CSR
- IWU-National & Global CSR
Each primary member listed above is required to appoint a backup individual in the case of absence and notify the CAB of that backup.
V. Definitions
Change: The addition, modification, or removal of in-scope hardware, software, application, network, system, environment, or associated documentation
Change Advisory Board (CAB): The oversight committee charged with reviewing and approving changes to in-scope resources
Change Control: The process of ensuring all changes to in-scope, production information resources are made in a stable, secure, and predictable manner. Also known as change management.
Change Management: The process of ensuring all changes to in-scope, production information resources are made in a stable, secure, and predictable manner. Also known as change control.
Change Request: The compilation of changes affecting in-scope, production information resources needed by the system owner or project manager
VI. Sanctions
Any faculty or staff found to be in violation of this policy is subject to disciplinary action up to and including termination as required by IWU Human Resources policy and allowed by applicable law.