IT Change Management is the process of requesting, analyzing, approving, developing, implementing, and reviewing a planned or unplanned change within the IT infrastructure. The Change Management Process begins with the creation of a change ticket within Jira. It ends with the satisfactory implementation of the change and the communication of the result of that change to all interested parties.
The intent of the IT change management process is to accomplish updates and system modifications in compliance with statutory obligations (GLBA, HIPAA, PII), and industry best practices to minimize the business impact, costs, and risks of changes.
This policy applies tosystem changes and/or privileged access escalations affectingIT services provided by Computer & Information Services (CIS). All CIS staff members, consultants or agents of SPU and any parties who are contractually bound through CIS to build or support its technology architecture are required to abide by this policy. Out of scope items include operational or systems administrative duties as defined by the CIS service owner. Changes made to non-priority IT components - such as systems that are not yet in production, development environments or testing environments - are also outside the scope of this policy.
Policy Version: 1.1
Responsible Office: Computer & Information Systems Responsible Executive:AVP Technology Services/CIO
Effective Date: November 25, 2019 Last Updated: September 13, 2022
Proposed changes generally fall into one of these classifications:
These changes generally affect just one system, are easily identified as having low risk of negative impact, and often involve little work to implement. These changes are not subject to the same rigors in planning and upfront communication. Due to the low risk, cost, and impact of these changes, formal review is waived in favor of delivering the value of the change more quickly.
These changes may affect multiple systems, require business system downtime (even if just briefly), or substantially alter the behavior of the affected system(s). These changes are scheduled and reviewed in a weekly review meeting, as well as in some smaller team meetings, to ensure any potential negative ramifications are considered.
Major changes sometimes have a compelling business reason that they should be implemented urgently. The urgency of these changes necessitates that they not wait until the typical weekly review before being implemented. Instead, ad hoc review is completed through proactive email and in-person communication to appropriate stakeholders and responsible parties.
CIS uses Atlassian Jira to track all changes. To ensure proper tracking, any such ticket is given a Type of "Change" or "Upgrade/Patch." Accurate classification grants us quick visibility into both planned and recently completed changes. These changes are compiled in a Jira dashboard highlighting the following tickets:
All "Change" and "Upgrade/Patch" tickets with a Prod Change Date, Test Change Date, or Due Date within the next 30 days, as well as change tickets with none of these fields yet populated (i.e.: as yet unscheduled, but forthcoming).
Upcoming changes to data center or perimeter firewall rules.
Completed Change and Upgrade/Patch tickets that have had a Test Change Date, Prod Change Date, Due Date or Resolution Date in the last 30 days.
Tuesday morning, a list of changes scheduled in the upcoming week is sent to all CIS staff.
Tuesday morning, all CIS staff invited to a meeting to review upcoming changes. All staff who are involved in changes coming in the next 8 days are expected to be present and participate. Any staff with questions or concerns based on the list sent earlier are encouraged to attend as well. The review meeting also serves as an opportunity to review recently completed changes that may have missed formal review (e.g. Minor or Urgent changes).
All CIS staff are expected to review the list of upcoming changes and raise up any conflicts, questions, or concerns regarding any of the items.
Staff responsible for executing changes are expected to participate in the review meeting.
The review meeting takes place the day prior to the weekly maintenance window and changes to planned maintenance activities are made as needed prior to commencement.