Policy
Policy Name
Change Management and Control Policy

Overview
Change Management is the process to manage and control changes in the environment to ensure confidentiality, integrity and availability to sensitive systems and data. Change management process must ensure changes to systems or applications are carefully documented, reviewed and approved prior to implementing in the production environment.

Statement
The following controls must be implemented to meet the Change Management and Control Policy:
  • Procedures must be in place to ensure changes to critical systems/devices and applications are documented, reviewed and approved.
  • The role or individual authorized to approve changes must be separate from the individual requesting or implementing the change (to ensure segregation of duties).
  • Change to production systems must be reviewed periodically to ensure changes are authorized (e.g. integrity checking or monitoring systems).
  • Change request must capture and record at minimum: the description of the change, justification, risk, planned date and time of change, back-out plans, systems and applications affected.
  • Changes must be managed to ensure availability of the organization's systems (e.g. understand potential impact to critical systems or other changes also planned).


Justification
The following benefits will be achieved:
  • Changes will be documented and managed
  • Minimize impact of changes to the production environment
  • Systems will be configured as documented  

Scope
All employees, contractors, agents and third-parties

Consequeces for Noncompliance
Noncompliance to this policy can result in disciplinary action up to and including termination of employment or contract.

Topics
Change Control and Management