Information Security Standards

Change and Configuration Management

GENERAL

The information resources infrastructure at Texas A&M University-Commerce is expanding and continuously becoming more complex. There are more people dependent on information resources being interconnected, upgraded and expanded (e.g., administrative systems and application programs). As the interdependency among information resources grows, the need for an effective change management process is essential. From time to time, information resources require a service disruption for planned upgrades, maintenance or fine-tuning. Additionally, such activities may result in unplanned service disruptions. Managing these changes is a critical part of providing a robust and valuable information resource infrastructure. The goal of change management is to ensure that the intended purpose of the change is successfully accomplished, while eliminating or minimizing any negative impact to the users of the resources as a result of the change. Changes require serious forethought, careful monitoring, and follow-up evaluation to reduce the negative impact to the user community.

APPLICABILITY

This procedure applies to University systems storing or processing mission critical and/or confidential information. The purpose of this procedure is to provide a set of measures that will mitigate information security risks associated with Change Management. The intended audience is information resource owners and information security administrators of University information resources that store or process mission critical and/or confidential information. In addition, these procedures may be applied to other information systems to aid in their management.

PROCEDURES

A consistent process is to be used for the implementation of information resource changes. The degree to which change management activities and processes are employed is dependent on the projected inherent risk of the change (i.e., potential for unplanned disruption of service, corruption/loss of data, or disclosure of confidential information resulting from the change implementation). Where appropriate, the process should include: preparation, notification/awareness, approval and documentation.

1. Preparation includes:

a. Review of previous similar changes and results in attempting to avoid any repetition of mistakes or negative impact

b. The determination of the following:

i. The best time/date for implementation (to minimize the impact to users);

ii. The net impact to other systems or impact to normal operation during and following the change implementation (inherent risk);

iii. The risk associated with the change implementation (to minimize the risk of disruption of service caused by the change); and,

c. Ensuring that the changes do not negatively impact the overall system security.

2. A notification process that informs users of changes planned for implementation is required. User notification may include email in addition to an announcement posted on the web.

3. Approval and audit of application/software changes includes:

a. Review of the code revision to be implemented, which shall be performed by someone other than the original developer;

b. Approval of the implementation of code revision performed by someone other than the developer; and,

c. Review of logs for previous change implementations.

4. Documentation includes any issues identified during the preparation phase that require special considerations or a revision to the implementation plan.

5. Change details for documentation include:

a. Scheduled date/time of change;

b. Expected duration or length of time required to implement the change;

c. Nature of the change (a brief description of the net effect);

d. Developers name (when applicable) for the modification if newly developed or modified code is involved;

e. Name of the person implementing the modification;

f. An indication of successful or unsuccessful completion of the change; and,

g. An analysis and lessons learned (corrective/preventative actions) for actual elapsed time, changes that deviated unexpectedly from the plan, resulted in an unplanned disruption of service, corruption of data, or disclosure of confidential information.

HISTORY

Last Updated March 31, 2014