Introduction

For Connor Group, computer endpoints (workstations and laptops) are the primary tool for productivity and connectivity in business environments. As such, computer endpoints must be appropriately managed and protected to ensure compliance to legal, and business requirements for Connor Group assets. This standard codifies expectations for proper management of this critical asset. It is one of a set of documents that together, form Connor Group's Information Security Management System (ISMS). 


Purpose

The purpose of the Change Management Standard (“Standard”) is to establish the requirements for implementing formal changes to production hardware and software affecting significant technology resources utilized by Connor Group with the intent of minimizing the risk of service disruptions.  

 

Changes to Connor Group’s system environment must be properly approved, developed, tested, monitored, and implemented to provide the highest levels of confidentiality, availability and integrity. This Standard provides overall guidance for managing production change in Connor Group’s environment.


Scope

This Standard pertains to all changes that will impact production systems, business use applications, and third party I.T. Services managed or used by Connor Group that store, process, or relay company or customer data used, regardless of location.  

 

Unless explicitly stated, this Standard does not apply to non-production environments that have no production impact 


All staff and Third Parties responsible for the management of IT Systems are responsible to understand the content of this Standard and follow its requirements. In the event of uncertainty regarding Standard applicability, contact Information Technology for clarification or guidance.  


Definitions

References for terminologies or acronyms used within Information Security Standards can be accessed within the Glossary of Definitions (https://helpdesk.connorgp.com/a/solutions/articles/11000112202)


Standard

1.    Information Technology shall maintain a review and approval process for changes to Connor Group production resources.


2.    Change Review and Approval

  1. A Change Advisory Board (CAB) shall oversee the Change Control program and shall meet as needed to review, approve, and direct production changes to the environment.
  2. Members of the CAB may not be the sole approver of their own registered Change Control

 

3.    Change Control Types and Detail

  1. Change requests shall be approved, tested, and recorded through a formal Change Management control process. With the exception of Emergency Changes, all changes must be approved by appropriate members of the CAB prior to implementation.
  2. A change is defined as an addition, modification, or removal of process, software, or hardware affecting production assets.  Changes have four categories: 
    1. Routine – A Standard change with a procedure registered and approved by the CAB. Once initially approved, routine changes do not require further CAB approval to execute in production unless the registered procedure materially changes. Routine changes establish new approved processes that don't require additional CAB approval, these change controls shall be set to require a majority approval from the CAB (more than one approver and not the requester).
    2. Standard – A documented change to production systems with a limited scope of impact or risk identified as moderate or lower.
    3. Major: An enterprise-wide change to production with high risk or an extended potential impact to critical systems. Major change controls require a majority approval from the CAB prior to implementation. 
    4. Emergency: Changes made to production systems before review and approval from the CAB. Emergency changes typically occur when a change must be made to resolve acute or severe issues to resolve an outage or stop an adverse emergent event. These changes are still to be captured as Emergency Changes, most often submitted and approved postmortem to the change.

4.    Change requests require at a minimum: 

  1. Description of Change
  2. Change Type (Routine, Standard, Major, Emergency)
  3. Estimated Impact
  4. Estimated Risk
  5. Change Justification (Reason for change) 
  6. Documented steps for the change  (Rollout Plan)
  7. Testing of the change in non-production environments, where feasible 
  8. Validation and testing criteria to define the result as a successful or failed change 
  9. A Rollback Plan to revert the environment to pre-change settings 


5.     Change Testing:  

Changes to applications containing critical I.T. functionality must be documented and validated in a test environment prior to implementing the change into the production environment, where feasible.

I.T. will maintain a level of testing and documentation commensurate with the complexity and risk of the change.   

 

5.    Change Environments 

a.    Where feasible, I.T. will maintain a non-production environment to support development and testing of changes to high-risk systems. 

b.    All changes will adhere to the data sanitization or protection processes set forth by Information Security. 



Revision History

Revisions require approval by the Director of Information Technology and dissemination to applicable business units prior to release.

 

Version 

Detail 

Author 

Date 

1.1

Formatting revised with requirements under Policy enumerated for easier reference.

Connor Group Information Security

March 2022

1.2

1. Minor wording change in the introduction for clarity

2. Removed unnecessary ‘Test Strategy Standards’ reference in 3.a

Connor Group Information Security

August 2022

 

 

 

 

1.3

Updated ‘Policy’ references to ‘Standard’

Added sections 4 and 5

Connor Group Information Security

November 2023