1615 Information Technology Infrastructure and Applications Change Management Policy

Responsible Official: 
Chief Procurement Officer
Responsible Office: 
Office of Grant and Contract Administration
Effective Date: 
April 17, 2015
Revision Date: 
April 17, 2015

Scope

This policy sets forth change control requirements for the production environments and operational test environments of all information technology (IT) systems and applications intended for use at Yale University and by members of the Yale University Community. This includes modifications implemented by vendors and external organizations.

Policy Statement

Every modification to configuration items shall be managed through a formal change control process. Documented approval through this change control process is required before modifications may be implemented in production. Configuration item owners are ultimately responsible for ensuring compliance of their configuration items with this policy.

When configuration items are owned or managed by Yale Information Technology Services (ITS, or “Central IT”), the Change Advisory Board (CAB) is charged with defining and overseeing the change control process and its related policies and procedures. Independent system, application, process, platform and service (Configuration Items) owners should report planned changes to ITS to ensure continuity of service and to minimize negative impacts on university operations.

Any member of the Yale Community may report non-compliance with this policy to the CAB. System, service, application and process owners who do not comply with the requirements of this policy and its associated procedures will be subject to enforcement action, which may include, but is not limited to, removing network access for or preventing access from the network to the configuration item.

Reason for Policy

This policy establishes formal change management processes to standardize how Yale handles all requests (including maintenance and patches) for modifications to configuration items. This allows Yale to satisfy its need to respond to the technological modifications needed to support Yale University’s mission while ensuring these modifications remain in alignment with the university’s overall information technology strategy by employing the following controls:

  • Ensuring that all changes have been developed, tested and approved before moving forward
  • Confirming the status of deliverables including: completed requirements, testing results and approvals
  • Determining appropriate courses of action for any items that do not meet the completion requirements
  • Participating in the coordination of necessary application teams as needed for the Implementation Planning
  • Track status and report to leadership

These controls in turn will reduce solution and service delivery defects, reduce the need to rework implementations that have failed due to insufficient preparation, minimize errors due to incomplete request specifications; and halt implementation of unauthorized modifications before negative impacts are realized.

Definitions

ITIL Terms - For the following terms, please refer to the ITIL Glossary (v3, 5/30/2007) which can be found at: http://www.best-management-practice.com/gempdf/itil_glossary_v3_1_24.pdf

  • Application
  • Change
  • Change Management
  • Deployment
  • Post Implementation Review (PIR)
  • Process
  • Request for Change (RFC)
  • System

Change Advisory Board (CAB) – An entity established and chaired by Information Technology Services that has been formed to support change management within IT. (See Roles and Responsibilities.) It consists of associates who have advisory authority on the implementation of changes. CAB members should have a clear understanding of the customer business needs and the user community, as well as the technical development, support functions, and environments. 

Change Control Process - Is a formal process used to ensure that changes to a product or system are introduced in a controlled and coordinated manner. It reduces the possibility of the introduction defects. 

Change Manager - The Change Manager controls the lifecycle of all Changes. The Change Manager’s primary objective is to allow Changes to be made, with minimum disruption to IT services. For impactful Changes, the Change Manager will engage the Change Advisory Board (CAB).

Change Owner – An individual stakeholder who is ultimately accountable for the end result of a change, seeing it through its lifecycle.  Ex: A Network Engineer may be the change owner for a router upgrade.

Change Requestor - The individual asking for a change to be made.  May or may not be the change owner. The requestor should be the person sponsoring or advocating the change, usually business.

Configuration Item (CI) - for example: services, enterprise applications, service applications, servers, databases, enterprise storage, loading balancers, and security appliances, but excluding client-based assets, desktop configuration items and documentation.

Deployment Management - includes the processes, systems and functions to build, test and migrate a release into operation.

Forward Schedule of Change (FSC) - The objective of the Forward Schedule of Change (FSC) is to inform staff of UPCOMING Changes that are scheduled for the next period and beyond. There should be enough information in the FSC for the person reading to determine whether the change is going to affect them and to be able to view the change request in detail by having key data. Release Management - The protection of the live environment and its services through the use of formal procedures and checks. Release management utilizes the bundling or batching related sets of Changes into manageable-sized units.

Third-party provider A non-Yale entity that provides network storage, IT system services, software as a service (SaaS), platform as a service (PaaS), infrastructure as a service (IaaS), cloud hosting, or other IT systems service to Yale University or the Yale University Community

Policy Sections

1615.1 – Oversight for ITS-managed and ITS-owned Configuration Items

The Change Advisory Board (CAB) shall provide change management oversight for all ITS-managed and ITS-owned configuration items. Change Management will manage all modifications made to the production environment, including the operational test environment. This includes changes implemented by vendors and external organizations.

Please see Procedure 16xx PR.1, for additional details.

1615.2 – Recommended Change Management Practices

Information Technology Services (ITS) shall maintain change management procedures. These procedures shall be documented in Service Now, the service management application managed by Yale ITS.

Changes for all ITS-owned and ITS-managed configuration items shall be managed using these change management procedures.

Owners of non-ITS-owned or -managed configuration items may adopt these procedures. A minimum period of commitment may be required to ensure proper resource allocation.

1615.3 – Release Management

Information Technology Services (ITS) shall maintain release management procedures. These procedures shall be documented in Service Now, the service management application managed by Yale ITS.

Releases for all enterprise-wide financial, student, and human resources configuration items managed or owned by ITS, shall be managed using these deployment management procedures.

Owners of non-ITS-owned or -managed configuration items may adopt these procedures. A minimum period of commitment may be required to ensure proper resource allocation.

1615.4 – Deployment Management

Information Technology Services (ITS) shall maintain deployment management procedures. These procedures shall be documented in Service Now, the service management application managed by Yale ITS.

Deployments for all enterprise-wide financial, student, and human resources configuration items managed or owned by ITS, shall be managed using these deployment management procedures.

Owners of non-ITS-owned or -managed configuration items may adopt these procedures. A minimum period of commitment may be required to ensure proper resource allocation.

1615.5 – Reporting Requirements for all Changes Not Using ITS Processes

Owners of non-ITS-owned or -managed configuration items are asked to report planned modifications to ITS to minimize the impact of these changes on the IT infrastructure and other systems, applications and services available at Yale. These notices should be given at least seven (7) days before the planned change. At a minimum, these notice should include:

  1. Contact information of the owner/administrator,
  2. The planned date of the change,
    and
  3. The anticipated impact of the change on the university network or other Yale systems and applications.

Please see Procedure 16xx PR.2 for further details.

1615.6 – Third Party Services/Hosted Services

The change control process for all vendor-managed or cloud-hosted applications or systems to be used by the Yale community must be evaluated. The CAB or Information Security, Policy and Compliance may, at their election, evaluate these change control processes to ensure Yale IT systems, applications, and data are afforded a sufficient degree of protection by the change control processes used by the vendor or host.

1615.7 – Exceptions

Exceptions may be given to the change control requirements under procedures maintained by Information Technology Service (ITS). Exceptions will only be given through this process. Any exception given to the change control process shall be documented.

Roles and Responsibilities

Approving Change Manager and Delegates - Approves changes for build-test and implementation for changed owned by their jurisdiction. Accountable for the execution of the change process in support of the change owner. The Approving Change Manager and delegates is also responsible for conducting CAB meetings and overseeing the change process.

Authorizing Change Manager(s) –– Authorizes changes where their jurisdiction is impacted and participates in CAB meetings as required.

Change Advisory Board (CAB) – The Change Advisory Board (CAB) shall deliver support to the Change Manager by assisting in the assessment and prioritization of changes.  The CAB helps ensure that changes are managed in a rational and predictable manner by enforcing change management policies and procedures.  The CAB shall provide guidance to the Change Manager.

Change Assessor - Responsible for contributing to the business and technical risk and impact assessment of a change for their domain.

Change Builder / Implementer - Individual responsible for performing the build/test and/or implementation.

Change Coordinator - Facilitate the changes process by assisting the Change Manager and Change Owner throughout the change process.

Change Requestor - The requestor should be the person sponsoring or advocating the change, usually business.

Configuration Item Owners – Are responsible for managing changes to their configuration items (applications, systems, platforms, etc.) and communicating with the CAB, ITS and stakeholders to ensure the requirements defined in this policy are met.