Sample Change Control Standard:

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search

Document History


Version Date Revised By Description
1.0 1 January 2010 <Current date> Michael D. Peters <Owners's name> This version replaces any prior version.


Document Certification


Description Date Parameters
Designated document recertification cycle in days: 30 - 90 - 180 - 365 <Select cycle>
Next document recertification date: 1 January 2011 <Date>


Sample Change Control Standard


The <Your Company Name> (the "Company") Sample Asset Management Policy defines objectives for establishing specific standards for properly managing the Company Information Technology infrastructure, including networks, systems, and applications that store, process, and transmit information assets.

This Change Control Standard builds on the objectives established in the Sample Asset Management Policy, and provides specific instructions and requirements for following approved processes and procedures that ensure only authorized updates and changes are implemented in the Company production environment.

I. Scope


All employees, contractors, part-time and temporary workers, and those employed by others to perform work on Company premises or who have been granted access to Company information or systems, are covered by this standard and must comply with associated guidelines and procedures.

Change Control refers to the formal and approved process for submitting, reviewing, and approving changes to the production environment including functions such as testing, documentation, implementation, validation, and tracking.

Information assets are defined in the Sample Asset Identification and Classification Policy.

II. Requirements


A. General

1. The requirements of this standard apply, in their entirety, to systems, networks, and applications implemented in the Company production environment.


2. Changes to the production environment must follow the Company-approved change control process and be performed by authorized persons.


3. Significant changes to the production environment and critical functions must be reflected in the business continuity and recovery plans.


B. Change Request

1. Company-approved procedures and tools shall be used to submit change requests and supporting documentation to the Change Control Review Committee for approval at least two weeks prior to the next scheduled change control meeting.


2. Change requests should contain the following information:


  • Requestor name and contact information
  • Submission date
  • Priority
  • Description of the change
  • Justification for the change
  • Cost justification, if appropriate
  • Request change date
  • Impact on production environment


3. Change requests shall be classified into one of four priority categories:


  • Critical
  • High
  • Medium
  • Low


A description of each category is provided in the following table:

PriorityDescriptionImplementation Timeframe
CriticalSevere business or production impact, if not implemented immediately.

Mandatory and must be implemented.
Implemented within 10 (ten) business days of approval.
HighSignificant business or production impact, if not implemented.

Significant and/or immediate improvement to production environment.

Address immediate regulatory or competitive market issues.
Implemented within 30 (thirty) business days of approval.
MediumModerate business or production impact, if not implemented.

Moderate improvement to production environment.
Implemented within 60 (sixty) business days of approval.
LowLimited to no business or production impact, if not implemented.

Limited improvement to production environment.
Implemented no earlier than 90 (ninety) business days of approval.


B. Change Review and Evaluation


1. The Change Control Review Committee will perform the following tasks to review and evaluate submitted change requests during scheduled change control meetings:


  • Acknowledge all submitted change requests.
  • Determine and communicate review due dates for all submitted change requests.
  • Distribute the change requests and supporting documentation to appropriate committee members for review.


B. Change Approval

1. The Change Control Review Committee will provide the recommendation to approve, reject, or defer reviewed change requests.


2. The Change Control Review Committee will assign approved change requests to specific production maintenance schedules.


3. The Change Control Review Committee will provide an explanation for all rejected or deferred change requests.


4. If a change request is not approved, a special appeal can be requested at the next scheduled change control meeting.


E. Testing

1. A staging environment separate from development and production environments shall be used and maintained for testing changes prior to implementation.


2. Testing shall include efforts to assess risks and protect the availability and integrity of information assets on production systems.


3. Software changes resulting from testing efforts should be made in the development environment and promoted to the staging environment.


F. Documentation

1. The following supporting documentation should be finalized prior to implementing approved changes in the production environment:


  • Implementation checklist outlining tasks and time estimates
  • Rollout procedures, responsibilities, and activities
  • Back-out procedures and restoration activities
  • Testing procedures to validate the change


G. Implementation

1. Authorized personnel shall follow documented rollout procedures to implement approved changes into the production environment.


2. Developers should not have the access required to independently promote source code into the production environment.


3. Transfer of software from the staging environment to the production environment shall be coordinated with appropriate personnel.


H. Validation and Tracking

1. Implemented changes shall be validated to ensure vulnerabilities were not introduced or service was not interrupted.


2. If implemented changes introduce vulnerabilities or disrupted service in the production environment then authorized personnel shall follow documented back-out procedures to restore the production environment to its pre-implementation state.


3. Results of changes to the production environment should be reported to the appropriate Asset Owner(s) or designated Change Control Manager(s).


4. Baseline configuration documentation, builds, and scripts should be updated, as necessary, if implemented changes have been adopted as production standards.


I. Emergency Changes


1. Emergency changes to production environment should be approved by at least two members of the Change Control Review Committee, Asset Owner, and Business Unit Management.


2. Emergency procedures for correcting urgent software errors or production issues should allow for adequate access authority to accomplish the repair.


3. Activities shall be monitored and logged when special access to production resources is required.


4. All special access to production resources shall be revoked immediately after emergency changes have been implemented.


5. Results of emergency changes should be reported to the Change Control Review Committee and appropriate Asset Owner(s) or designated Change Control Manager(s).


6. Emergency changes should be presented in the next scheduled change control meeting and followed up with completed change control documentation.


III. Responsibilities


The Chief Information Security Officer (CISO) approves the Change Control Standard. The CISO also is responsible for ensuring the development, implementation, and maintenance of the Change Control Standard.

Company management, including senior management and department managers, is accountable for ensuring that the Change Control Standard is properly communicated and understood within its respective organizational units. Company management also is responsible for defining, approving, and implementing procedures in its organizational units and ensuring their consistency with the Change Control Standard.

Asset Owners (Owners) are the managers of organizational units that have primary responsibility for information assets associated with their functional authority. When Owners are not clearly implied by organizational design, the CIO will make the designation. The Owner is responsible for: defining processes and procedures that are consistent with the Change Control Standard; submitting change requests for approval using Company-approved procedures and tools; and ensuring proper testing has been performed and documentation has been developed prior to implementation of changes to the production environment.

Change Control Review Team is responsible for scheduling and conducting weekly change control meetings to review and evaluate all submitted change requests, and providing recommendations to approve, reject, or defer change requests.

Asset Custodians (Custodians) are the managers, administrators and those designated by the Owner to manage, process or store information assets. Custodians are responsible for: providing a secure processing environment that protects the confidentiality, integrity, and availability of information; ensuring changes to systems, networks, and applications in the production environment are made in accordance with the Change Control Standard; supporting test, risk assessment, and documentation efforts; and participating in restoration efforts, as required.

Users are the individuals, groups, or organizations authorized by the Owner to access information assets. Users are responsible for familiarizing and complying with the Change Control Standard and associated guidelines, and following Company-approved processes and procedures for the change control.

IV. Enforcement and Exception Handling


Failure to comply with the Change Control Standard and associated guidelines and procedures can result in disciplinary actions, up to and including termination of employment for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.

Requests for exceptions to the Change Control Standard should be submitted to <Insert Title> in accordance with the Information Security Standards Exception Procedure. Prior to official management approval of any exception request, the individuals, groups, or organizations identified in the scope of this standard will continue to observe the Change Control Standard.

V. Review and Revision


The Change Control Standard will be reviewed and revised in accordance with the Sample Information Security Program Charter.

Approved: _______________________________________________________

Signature


<Insert Name>


Chief Information Security Officer