30.18 – Change Management

Owner:

  • Position: Vice President of Information Technology and Chief Information Officer, Information Technologies
  • Email: oit-security@uidaho.edu

Last updated: February 13, 2024

Contents:

A. Purpose. This policy establishes the mechanism for verifying and approving changes to university managed technology resources. Changes to information systems are required on both a regular and emergency basis to fix issues, add new functionality, address new security and compliance requirements, and improve the user experience. Due to the complexity of modern technology systems, such changes must be carefully reviewed, performed, and vetted as, if done improperly, can cause disruptions, weaken security postures, and cause a loss of data. To address this, as well as assist in the University’s compliance requirements, this policy provides that:

  • Changes are performed in a way to minimize risks to the university.
  • All security and compliance requirements remain enforced consistent with U of I standards and principles of least privilege and functionality.
  • All impactful changes to technology resources are tracked and approved in a timely manner.

B. Scope. This policy applies to any changes to technology resources as defined in APM 30.12 C-1, that could have a negative effect on services or data that are classified as production or high impact by the Change Advisory Board, system/data owner, or other relevant authority.

The scope of this policy does not supersede approved system security plans, laws, regulations, or contractual change management limitations or requirements.

C. Definitions

C-1. Change Advisory Board (CAB). A group that reviews, approves, and prioritizes changes, either explicitly, or through approved processes, and maintains the standards for changes.

C-2. Change Control Board (CCB). A group of one or more individuals within projects or dedicated technology that is responsible for ensuring changes adhere to standards. Examples include but are not limited to: subject matter experts, managers, or impacted teams.

C-3. Emergency Change. Emergency changes are performed to address unexpected disruptions such as security incidents, application, or server outages that need to be resolved immediately.

C-4. Normal Change. All other changes that are not Emergency or Standard Changes. Examples include, but are not limited to, data migrations and software implementations, network, or system configuration changes. Each change has a predefined scope and action plan.

C-5. Standard Change. Periodical, low-risk and low-impact changes that follow a standard operating procedure approved by the CAB. Each change has a predefined scope and action plan.

C-6. System. A discrete set of resources assembled to store, process, maintain, share, or dispose of data. This includes, but is not limited to, any endpoint devices (desktops, laptops, smart phones, tablets) as well as servers, networks, or third party and cloud services.

D. Policy

D-1. Changes

  1. All changes to Information Technology systems and services must follow a structured process defined or approved by the CAB to ensure appropriate planning, communication, and execution.
  2. Every change requires explicit consideration for the security impact of the change.
  3. Changes that do not meet the requirements set by the CAB or designated CCB for standard or emergency changes must follow the procedure for normal changes.
  4. To ensure emergency changes occur in a timely manner, review and approval of the change occurs after the event during the follow-up activity for the emergency event.

D-2. Change Advisory Board (CAB) membership and responsibilities

  1. The CAB will be made up of representatives designated by the CIO and published in Change Management standards.
  2. The CAB has the following responsibilities:
    1. Assess, prioritize, authorize, schedule, and communicate changes in a timely manner.
    2. Review emergency changes and request follow-ups or additional documentation as required.
    3. Appoint CCBs for minor changes, projects, or dedicated technology.
    4. Meet regularly to review upcoming changes.
    5. Propose and maintain standards for changes and change approval that are approved by CIO.
    6. Establish and maintain procedures, guidelines, and processes for changes and change approval, including automated processes.
  3. The CAB may require items prior to approval including but not limited to:
    1. Additional documentation or communication.
    2. An appropriate change window adhering to change window guidelines.
    3. Delay in schedule to accommodate risks.
    4. Additional mitigations implemented either prior to or post change.

D-3. Change Control Board (CCB) responsibilities

  1. CCB have the following responsibilities:
    1. Review and approve in-scope changes in a timely manner as per the standards defined by the CAB or by self-defined standards approved by the CAB.
    2. Review emergency changes and request follow-ups or additional documentation as required.
    3. Designate relevant stakeholders as approvers.
  2. CCBs may require items prior to approval per D-2 c.

E. Noncompliance. Noncompliance with this policy may result, depending upon the nature of the noncompliance, in the user’s account or access being suspended to U of I technology resources as stated in Section B.3 of APM 30.12 (Acceptable Use of Technology).

F. Exceptions. Requests for exceptions to this policy may be submitted through the OIT Support Portal. The U of I Chief Information Security Officer will assess the risk and make a recommendation to the U of I Vice President for Information Technology and Chief Information Officer. Exceptions must be reviewed for reauthorization on no less than an annual basis.

G. Contact Information. The OIT Information Security Office (oit-security@uidaho.edu) can assist with questions regarding this policy and related standards. Questions should be submitted through the OIT Support Portal.

H. References.

Version History

Adopted 2024.