Sample Change Control Standard:
Sample Change Control Standard
The <Your Company Name> (the "Company") Sample Asset Management Policy defines objectives for establishing specific standards for properly managing the Company Information Technology infrastructure, including networks, systems, and applications that store, process, and transmit information assets.
This Change Control Standard builds on the objectives established in the Sample Asset Management Policy, and provides specific instructions and requirements for following approved processes and procedures that ensure only authorized updates and changes are implemented in the Company production environment.
I. Scope
All employees, contractors, part-time and temporary workers, and those employed by others to perform work on Company premises or who have been granted access to Company information or systems, are covered by this standard and must comply with associated guidelines and procedures.
Change Control refers to the formal and approved process for submitting, reviewing, and approving changes to the production environment including functions such as testing, documentation, implementation, validation, and tracking.
Information assets are defined in the Sample Asset Identification and Classification Policy.
II. Requirements
A. General
- 1. The requirements of this standard apply, in their entirety, to systems, networks, and applications implemented in the Company production environment.
- 1. The requirements of this standard apply, in their entirety, to systems, networks, and applications implemented in the Company production environment.
- 2. Changes to the production environment must follow the Company-approved change control process and be performed by authorized persons.
- 2. Changes to the production environment must follow the Company-approved change control process and be performed by authorized persons.
- 3. Significant changes to the production environment and critical functions must be reflected in the business continuity and recovery plans.
- 3. Significant changes to the production environment and critical functions must be reflected in the business continuity and recovery plans.
B. Change Request
- 1. Company-approved procedures and tools shall be used to submit change requests and supporting documentation to the Change Control Review Committee for approval at least two weeks prior to the next scheduled change control meeting.
- 2. Change requests should contain the following information:
- 2. Change requests should contain the following information:
- Requestor name and contact information
- Submission date
- Priority
- Description of the change
- Justification for the change
- Cost justification, if appropriate
- Request change date
- Impact on production environment
- Requestor name and contact information
- 3. Change requests shall be classified into one of four priority categories:
- 3. Change requests shall be classified into one of four priority categories:
- Critical
- High
- Medium
- Low
- Critical
A description of each category is provided in the following table:
Priority Description Implementation Timeframe Critical Severe business or production impact, if not implemented immediately.
Mandatory and must be implemented.Implemented within 10 (ten) business days of approval. High Significant business or production impact, if not implemented.
Significant and/or immediate improvement to production environment.
Address immediate regulatory or competitive market issues.Implemented within 30 (thirty) business days of approval. Medium Moderate business or production impact, if not implemented.
Moderate improvement to production environment.Implemented within 60 (sixty) business days of approval. Low Limited to no business or production impact, if not implemented.
Limited improvement to production environment.Implemented no earlier than 90 (ninety) business days of approval.
- B. Change Review and Evaluation
- 1. The Change Control Review Committee will perform the following tasks to review and evaluate submitted change requests during scheduled change control meetings:
- 1. The Change Control Review Committee will perform the following tasks to review and evaluate submitted change requests during scheduled change control meetings:
- Acknowledge all submitted change requests.
- Determine and communicate review due dates for all submitted change requests.
- Distribute the change requests and supporting documentation to appropriate committee members for review.
- Acknowledge all submitted change requests.
B. Change Approval
- 1. The Change Control Review Committee will provide the recommendation to approve, reject, or defer reviewed change requests.
- 1. The Change Control Review Committee will provide the recommendation to approve, reject, or defer reviewed change requests.
- 2. The Change Control Review Committee will assign approved change requests to specific production maintenance schedules.
- 2. The Change Control Review Committee will assign approved change requests to specific production maintenance schedules.
- 3. The Change Control Review Committee will provide an explanation for all rejected or deferred change requests.
- 3. The Change Control Review Committee will provide an explanation for all rejected or deferred change requests.
- 4. If a change request is not approved, a special appeal can be requested at the next scheduled change control meeting.
- 4. If a change request is not approved, a special appeal can be requested at the next scheduled change control meeting.
E. Testing
- 1. A staging environment separate from development and production environments shall be used and maintained for testing changes prior to implementation.
- 1. A staging environment separate from development and production environments shall be used and maintained for testing changes prior to implementation.
- 2. Testing shall include efforts to assess risks and protect the availability and integrity of information assets on production systems.
- 2. Testing shall include efforts to assess risks and protect the availability and integrity of information assets on production systems.
- 3. Software changes resulting from testing efforts should be made in the development environment and promoted to the staging environment.
- 3. Software changes resulting from testing efforts should be made in the development environment and promoted to the staging environment.
F. Documentation
- 1. The following supporting documentation should be finalized prior to implementing approved changes in the production environment:
- 1. The following supporting documentation should be finalized prior to implementing approved changes in the production environment:
- Implementation checklist outlining tasks and time estimates
- Rollout procedures, responsibilities, and activities
- Back-out procedures and restoration activities
- Testing procedures to validate the change
- Implementation checklist outlining tasks and time estimates
G. Implementation
- 1. Authorized personnel shall follow documented rollout procedures to implement approved changes into the production environment.
- 1. Authorized personnel shall follow documented rollout procedures to implement approved changes into the production environment.
- 2. Developers should not have the access required to independently promote source code into the production environment.
- 2. Developers should not have the access required to independently promote source code into the production environment.
- 3. Transfer of software from the staging environment to the production environment shall be coordinated with appropriate personnel.
- 3. Transfer of software from the staging environment to the production environment shall be coordinated with appropriate personnel.
H. Validation and Tracking
- 1. Implemented changes shall be validated to ensure vulnerabilities were not introduced or service was not interrupted.
- 1. Implemented changes shall be validated to ensure vulnerabilities were not introduced or service was not interrupted.
- 2. If implemented changes introduce vulnerabilities or disrupted service in the production environment then authorized personnel shall follow documented back-out procedures to restore the production environment to its pre-implementation state.
- 2. If implemented changes introduce vulnerabilities or disrupted service in the production environment then authorized personnel shall follow documented back-out procedures to restore the production environment to its pre-implementation state.
- 3. Results of changes to the production environment should be reported to the appropriate Asset Owner(s) or designated Change Control Manager(s).
- 3. Results of changes to the production environment should be reported to the appropriate Asset Owner(s) or designated Change Control Manager(s).
- 4. Baseline configuration documentation, builds, and scripts should be updated, as necessary, if implemented changes have been adopted as production standards.
- 4. Baseline configuration documentation, builds, and scripts should be updated, as necessary, if implemented changes have been adopted as production standards.
- I. Emergency Changes
- 1. Emergency changes to production environment should be approved by at least two members of the Change Control Review Committee, Asset Owner, and Business Unit Management.
- 1. Emergency changes to production environment should be approved by at least two members of the Change Control Review Committee, Asset Owner, and Business Unit Management.
- 2. Emergency procedures for correcting urgent software errors or production issues should allow for adequate access authority to accomplish the repair.
- 2. Emergency procedures for correcting urgent software errors or production issues should allow for adequate access authority to accomplish the repair.
- 3. Activities shall be monitored and logged when special access to production resources is required.
- 3. Activities shall be monitored and logged when special access to production resources is required.
- 4. All special access to production resources shall be revoked immediately after emergency changes have been implemented.
- 4. All special access to production resources shall be revoked immediately after emergency changes have been implemented.
- 5. Results of emergency changes should be reported to the Change Control Review Committee and appropriate Asset Owner(s) or designated Change Control Manager(s).
- 5. Results of emergency changes should be reported to the Change Control Review Committee and appropriate Asset Owner(s) or designated Change Control Manager(s).
- 6. Emergency changes should be presented in the next scheduled change control meeting and followed up with completed change control documentation.
- 6. Emergency changes should be presented in the next scheduled change control meeting and followed up with completed change control documentation.
III. Responsibilities
The Chief Information Security Officer (CISO) approves the Change Control Standard. The CISO also is responsible for ensuring the development, implementation, and maintenance of the Change Control Standard.
Company management, including senior management and department managers, is accountable for ensuring that the Change Control Standard is properly communicated and understood within its respective organizational units. Company management also is responsible for defining, approving, and implementing procedures in its organizational units and ensuring their consistency with the Change Control Standard.
Asset Owners (Owners) are the managers of organizational units that have primary responsibility for information assets associated with their functional authority. When Owners are not clearly implied by organizational design, the CIO will make the designation. The Owner is responsible for: defining processes and procedures that are consistent with the Change Control Standard; submitting change requests for approval using Company-approved procedures and tools; and ensuring proper testing has been performed and documentation has been developed prior to implementation of changes to the production environment.
Change Control Review Team is responsible for scheduling and conducting weekly change control meetings to review and evaluate all submitted change requests, and providing recommendations to approve, reject, or defer change requests.
Asset Custodians (Custodians) are the managers, administrators and those designated by the Owner to manage, process or store information assets. Custodians are responsible for: providing a secure processing environment that protects the confidentiality, integrity, and availability of information; ensuring changes to systems, networks, and applications in the production environment are made in accordance with the Change Control Standard; supporting test, risk assessment, and documentation efforts; and participating in restoration efforts, as required.
Users are the individuals, groups, or organizations authorized by the Owner to access information assets. Users are responsible for familiarizing and complying with the Change Control Standard and associated guidelines, and following Company-approved processes and procedures for the change control.
IV. Enforcement and Exception Handling
Failure to comply with the Change Control Standard and associated guidelines and procedures can result in disciplinary actions, up to and including termination of employment for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.
Requests for exceptions to the Change Control Standard should be submitted to <Insert Title> in accordance with the Information Security Standards Exception Procedure. Prior to official management approval of any exception request, the individuals, groups, or organizations identified in the scope of this standard will continue to observe the Change Control Standard.
V. Review and Revision
The Change Control Standard will be reviewed and revised in accordance with the Sample Information Security Program Charter.
Approved: _______________________________________________________
- Signature
- Signature
- <Insert Name>
- <Insert Name>
- Chief Information Security Officer
- Chief Information Security Officer