CIS Change Management Policy

Owned by Meier, Josh
Last updated: Nov 21, 2023 by Guo, Chiyao (Deactivated)
3 min read

Statement and Purpose

Table of Contents

IT Change Management is the process of requesting, analyzing, approving, developing, implementing, and reviewing a planned or unplanned change within the IT infrastructure. The Change Management Process begins with the creation of a change ticket within Jira. It ends with the satisfactory implementation of the change and the communication of the result of that change to all interested parties.

The intent of the IT change management process is to accomplish updates and system modifications in compliance with statutory obligations (GLBA, HIPAA, PII), and industry best practices to minimize the business impact, costs, and risks of changes.

Scope

This policy applies to system changes and/or privileged access escalations affecting IT services provided by Computer & Information Services (CIS).  All CIS staff members, consultants or agents of SPU and any parties who are contractually bound through CIS to build or support its technology architecture are required to abide by this policy.  Out of scope items include operational or systems administrative duties as defined by the CIS service owner.  Changes made to non-priority IT components - such as systems that are not yet in production, development environments or testing environments - are also outside the scope of this policy.


Policy Version: 1.1

Responsible Office: Computer & Information Systems
Responsible Executive: AVP Technology Services/CIO

Effective Date: November 25, 2019
Last Updated:  September 13, 2022

Change Classifications

Proposed changes generally fall into one of these classifications:

Minor

These changes generally affect just one system, are easily identified as having low risk of negative impact, and often involve little work to implement.  These changes are not subject to the same rigors in planning and upfront communication. Due to the low risk, cost, and impact of these changes, formal review is waived in favor of delivering the value of the change more quickly. 

MajorThese changes may affect multiple systems, require business system downtime (even if just briefly), or substantially alter the behavior of the affected system(s). These changes are scheduled and reviewed in a weekly review meeting, as well as in some smaller team meetings, to ensure any potential negative ramifications are considered.
UrgentMajor changes sometimes have a compelling business reason that they should be implemented urgently.  The urgency of these changes necessitates that they not wait until the typical weekly review before being implemented.  Instead, ad hoc review is completed through proactive email and in-person communication to appropriate stakeholders and responsible parties.

Change Review

Review Tools

CIS uses Atlassian Jira to track all changes.  To ensure proper tracking, any such ticket is given a Type of "Change" or "Upgrade/Patch." Accurate classification grants us quick visibility into both planned and recently completed changes.  These changes are compiled in a Jira dashboard highlighting the following tickets:

  1. All "Change" and "Upgrade/Patch" tickets with a Prod Change Date, Test Change Date, or Due Date within the next 30 days, as well as change tickets with none of these fields yet populated (i.e.: as yet unscheduled, but forthcoming).

  2. Upcoming changes to data center or perimeter firewall rules.

  3. Completed Change and Upgrade/Patch tickets that have had a Test Change Date, Prod Change Date, Due Date or Resolution Date in the last 30 days.

Tuesday morning, a list of changes scheduled in the upcoming week is sent to all CIS staff.

Review Meeting

Tuesday morning, all CIS staff invited to a meeting to review upcoming changes.  All staff who are involved in changes coming in the next 8 days are expected to be present and participate. Any staff with questions or concerns based on the list sent earlier are encouraged to attend as well.  The review meeting also serves as an opportunity to review recently completed changes that may have missed formal review (e.g. Minor or Urgent changes).

Review Expectations

All CIS staff are expected to review the list of upcoming changes and raise up any conflicts, questions, or concerns regarding any of the items.

Staff responsible for executing changes are expected to participate in the review meeting.

The review meeting takes place the day prior to the weekly maintenance window and changes to planned maintenance activities are made as needed prior to commencement.

Additional details regarding specific aspects of the review process are documented internal to CIS: /wiki/spaces/appteam/pages/39967726

Related Policies and Procedures