CM Policy

  Document Title

CCIT Change Management Policy

Executive Summary

The Clemson Computing & Information Technology (CCIT) infrastructure at Clemson University is expanding and continuously becoming more complex. There are more people dependent upon the network, more client machines, upgraded and expanded administrative systems, and more application programs. As the interdependency within the IT infrastructures grows, the need for a strong change management process is essential.

From time to time IT elements require an outage for planned upgrades, maintenance or fine-tuning. Additionally, unplanned outages may occur that could result in upgrades or maintenance. Managing these changes is a critical part of providing a robust and valuable IT infrastructure.

Change Management is a process, which by its lack of maturity can have the most dramatic impact on the business. Unapproved, unplanned, and uncoordinated changes can impact the business customer on a frequent basis. Additionally, without the ability to control when, how and by whom things are changed in the production environment, other processes such as Release and Configuration Management cannot be effectively implemented. A controlled Change Management process is a dependency for several other IT business practices.

Purpose

The purpose of the Change Management Policy is to manage changes in a rational and predictable manner so that staff and customers can plan accordingly. Changes require serious forethought, careful monitoring, and follow-up evaluation to reduce negative impact to the user community and to increase the value of IT resources and their resultant services.

Policy

Policy Coverage:

The Clemson Computing & Information Technology Change Management Policy applies to all individuals that install, operate or maintain IT resources and services.

Change Management:

  • Every change to a Production Clemson Computing & Information Technology resource such as: operating systems, computing hardware, networks, databases and applications are subject to this Change Management Policy and must follow the Change Management Procedures.
  • All changes affecting computing environmental facilities (e.g., air-conditioning, water, heat, plumbing, electricity, and alarms) must be reported to or coordinated with the leader of the Change Management process.
  • A Change Management Change Advisory Board (CAB), appointed by CCIT leadership, will meet regularly to review change requests and to ensure that change reviews and communications are being satisfactorily performed.
  • A request for change ticket must be submitted for all changes, both scheduled, emergency, and unscheduled.
  • All scheduled change requests must be submitted in accordance with change management procedures so the Change Advisory Board has time to review the request, determine and review potential failures, and make the decision to allow or delay the request.
  • Each scheduled change request must receive Change Advisory Board, or Change Manager, approval before proceeding with the change. The only exception to this will be those changes receiving pre-approved status or those changes that have been delegated, such as password changes.
  • Emergency changes require CCIT Change Manager approval prior to implementation. Any emergency change affecting those services deemed “critical” will be communicated to the Change Discussion email list.
  • The CCIT Change Manager may deny a scheduled or unscheduled change for reasons including, but not limited to, inadequate planning, inadequate backout plans, the timing of the change will negatively impact a key business process such as year end accounting, or if adequate resources cannot be readily available. Adequate resources may be a problem on weekends, holidays, or during special events.
  • Customer notification must be completed for each scheduled or unscheduled change following the steps contained within the Change Management Procedures.
  • All information systems, services and processes must comply with the change management process that meets the standards outlined above.
  • Other equipment or facilities that may affect the production environment are also subject to compliance with the change management process.

Disciplinary Actions

Violation of this policy may result in disciplinary action, which may include termination for  employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student.

Definitions

Change Management. The practices of ensuring all changes to Configuration Items are carried out in a planned and authorized manner. This includes ensuring that there is a business reason behind each change, identifying the specific Configuration Items and IT Services affected by the change, planning the change, testing the change, and having a backout plan should the change result in an unexpected state of the Configuration Item.

Change Advisory Board (CAB). A CAB is an integral part of a defined change management process designed to balance the need for change with the need to minimize inherent risks. A CAB is comprised of representatives of the key functional areas of CCIT, customer representatives, security office, service desk and Service Management staff. The CAB is responsible for oversight of all changes in the production environment. Plus the changes may involve hardware, software, configuration settings, patches, etc.

Change Discussion email list. An email distribution list with members from all units within CCIT. Members include senior staff, directors, and managers.

Change Advisory Board/Emergency Committee. The CAB/EC is a subset of the full CAB responsible for assessing and approving urgent changes as a result of a system or service Incident.

Change Management Governance Board (CMGB). The CMGB is comprised of the executive leadership of CCIT and the Change Manager. The CMGB is responsible for assessing and approving emergency changes as a result of a system or service Incident. The CMDB may be convened by the CCIT Change Manager in those situations interruptions of Clemson University’s critical services. Additionally, the CMGB may be called upon to rule on scheduling issues that cannot be resolved by the normal CAB and CCIT Change Manager.

Related Documents

Change Management Standard Operating Procedures

Revisions
Current: 1.0
Next Revision: June 8, 2008
Administrative Update:

Approvals
Approved, CCIT Executive Staff
June 8th, 2007

Change Management Policy Addendum – DHHS Systems

Implemented April 23, 2014

Summary

Due to governing regulations, and the nature of data processed by SCDHHS systems, CCIT requires additional security oversight beyond normal Change Management procedures for changes affecting SCDHHS systems. The procedure presented in this Addendum applies to all SCDHHS hosted systems as well as any supporting systems SCDHHS systems require for operation.

Additional Procedures Required:

Change Requestor
  • Change requestor must submit a request ticket to the Office of Information Security and Privacy (OISP) for a Security Impact Analysis (SIA) via ITHelp.clemson.edu.
  • Once the SIA is complete, and OISP provides approval via the ITHelp ticket, the requestor can then enter a RFC via the normal CCIT Change Management Procedure.
  • When creating the RFC the requestor must check the “SCDHSS Affected” box and include the ITHelp ticket number for the SIA approval on the RFC Information Tab.
  • Emergency RFCs can be submitted and approved without an SIA as long as the change does not modify the configuration of a device or software.
    • If an emergency RFC entails modifying the configuration of a device or software, an SIA must be completed before the change can take place. In this case the Change Requestor should engage the OISP group directly.
Change Manager

All RFC submissions should be checked against a list of known SCDHHS systems and services. Any RFC found to affect known SCDHHS systems should not be placed on the weekly CAB agenda, or set to an online vote status until an SIA is successfully completed via an ITHelp.clemson.edu ticket.

Questions

Email: Change_Manager-L@clemson.edu

Related Links

Safe Computing

Password Reset

CU Policies: Faculty/Staff

CU Policies: Students

Academic Policies

HR Policies & Procedures

Information Security &
Privacy at Clemson

The Office of Information Security and Privacy is part of CCIT's Customer Services & Information and Privacy department, led by Hal Stone.

In addition to overseeing CCIT information policies and standards, the group serves to inform users and support personnel of possible threats to Clemson University computing resources and to disseminate recovery information quickly so that minimum downtime is experienced.

Related Links

Safe Computing

Password Reset

CU Policies: Faculty/Staff

CU Policies: Students

Academic Policies

HR Policies & Procedures

Information Security &
Privacy at Clemson

The Office of Information Security and Privacy is part of CCIT's Customer Services & Information and Privacy department, led by Hal Stone.

In addition to overseeing CCIT information policies and standards, the group serves to inform users and support personnel of possible threats to Clemson University computing resources and to disseminate recovery information quickly so that minimum downtime is experienced.