Change Management Process


Change Management Lifecycle: The Change Management Process tracks all managed changes through all stages of the Change Management lifecycle; from initial submission of the change request, through formal consideration and approval, to either successful implementation or restoration to prior operational state. 

 

  1. Change Requests:  
  1. Change requests will be submitted through a formal request process defined in the Change Management Standards & Procedures.  
  2. Changes will be categorized as Routine, Normal, Major, or Emergency. 
  1. Emergency submissions are required for review of changes that occurred without normal change control approval.

 

  1. Change Approval:  
  1. I.T. will review documentation, assess risk, evaluate impacts and approve or reject the change request. 
  2. Routine Changes do not require approval.

 

  1. Change Testing:  
  1. Changes to applications containing critical I.T. functionality must be documented and validated in a test environment prior to implementing the change into the production environment, where feasible.
  2. I.T. will maintain a level of testing and documentation necessary to support an approved change is commensurate with the complexity and risk of the change.   
  3. I.T. will retain evidence to support testing activities in a secure, centralized repository as defined within the Change Management Standards & Procedures.

 

  1. Change Implementation 
  1. Access to implement changes in the production environment will be limited to authorized users in accordance with job responsibilities.  
  2. Segregation of duties between change development and change implementation will be enforced, where feasible.  
    1. I.T. will establish change monitoring controls when segregation of duties cannot be maintained.  
  3. Change activity will be documented, reviewed for accuracy, and approved as defined.

 

  1. Change Environments 
  1. Where feasible, I.T. will maintain a non-production environment to support development and testing of changes to high-risk systems. 
  2. All changes will adhere to the data sanitization or protection processes set forth by Information Security. 
  3. Access to the production environment will be restricted to appropriate members of the team responsible for deploying changes to production.  

 

  1. Change Types 
  1. Routine Changes: Changes that are routine in nature and are intended to improve performance, correct problems, or enhance security. These do not typically require expedited timeframes to complete. Routine changes require their procedure registered and approved by the Change Advisory Board and shall be submitted through the formal change request process. Once approved, Routine changes do not require approval to execute again unless the affected environment or registered procedure changes. 
  2. Normal Changes: Changes made to Connor Group or third-party hardware or software that occur without expedited timeframes or escalation.  Normal changes shall be released at a scheduled time after all affected parties are notified, all testing is completed, and all approvals are obtained and documented.  Normal changes are submitted through the change request process. 
  3. Major Changes: Changes affecting over 100 users, involving a large scope for impact or high-risk events, and can be related to a third-party vendor or internal groups. 
  4. Emergency Changes: Emergency changes are changes made to production systems during an emergency event that subverted the standard review and approval process of change management. Emergency changes require modification of production systems within a limited timeframe and bypass control points listed for Change Management. Emergency changes still must be submitted through the change request process but are most often done postmortem to capture the event and changes.