GDL-3000.07H: Change and Release Management Guideline
Guideline Summary
Intended Audience: University personnel responsible for managing University computing and networking devices
Guideline Owner: Director of Information Security
Introduction
Effective change and release management procedures help ensure that any changes to the University’s IT systems are done in such a way as to minimize risk to production systems and to ensure users are prepared for and aware of the changes.
Scope
The Change and Release Management Guideline is applicable to any change that carries substantial risk or that has enterprise or broad impact.
Change and Release Management Procedure Requirements
The University should implement Change and Release Management procedures that:
- Ensure duties and areas of responsibility are segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the University’s IT assets.
- Ensure computing environments (e.g. production, test, development) are separated to reduce the risks of unauthorized access and changes to the production systems.
- Ensure suitable system tests are carried out in testing and/or pre-production environments and prior to acceptance.
- Are tailored to the type of change (Standard, Normal or Emergency Change).
- Require a communication plan for each change that impacts users.
- Require documentation for each change.
For the complete guideline, click "Full Document" tab at top of page.
Full Document
Intended Audience: University personnel responsible for managing University computing and networking devices
Guideline Owner: Director of Information Security
1. Definitions
Change Management |
The process by which changes are recorded, evaluated, authorized, prioritized, planned, tested, implemented, documented, and reviewed in a controlled manner. Change Management processes ensure that standardized methods are used for the efficient and prompt handling of all changes and that overall business risk is minimized. |
---|---|
Emergency Change |
Changes that must be done quickly due to a serious threat or service interruption. Examples include zero-day vulnerability patches or enterprise system failure fixes. |
Normal Change |
Any changes that cannot be classified as an Emergency Change or Standard Change. Examples include application software upgrades or application configuration changes. |
Standard (pre-authorized) Change |
Changes done on a regular schedule and/or in a repetitive manner. Examples are the installation of monthly Microsoft operating system patches or a test database refresh. These changes do not require approval from the Change Advisory Board, but they must be documented. Customers must be notified if there is the potential for service interruptions. |
Release Management |
The process of managing, planning, scheduling, and communicating a system or application change. Release Management occurs after changes are approved. |
2. Introduction
OCIO 141.10: 8.1
Effective Change and Release Management procedures help ensure that any changes to the University’s IT systems are done in such a way as to minimize risk to production systems and to ensure users are prepared for and aware of the changes.
3. Scope
The Change and Release Management Guideline is applicable to any change that carries substantial risk or that has enterprise or broad impact.
4. Change and Release Management Procedure Requirements
The University should implement Change and Release Management procedures that:
- Ensure duties and areas of responsibility are segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the University’s IT assets.
- Ensure computing environments (e.g., production, test, development) are separated to reduce the risks of unauthorized access and changes to the production systems.
- Ensure suitable system tests are carried out in testing and/or pre-production environments and prior to acceptance.
- Are tailored to the type of change (Standard, Normal, or Emergency Change).
- Require a communication plan for each change that impacts users.
- Require documentation for each change.
5. Authority
- University policy POL-U3000.07 - Securing Information Systems
- Washington State Office of the Chief Information Officer (OCIO) 141.10 – Securing Information Technology Assets Standards
6. References
Change Log
Revised |
Version |
Author |
Approver |
Change |
---|---|---|---|---|
06/18/2021 |
1.0 |
Beth Albertson |
ITS Standards & Guidelines Committee |
Original Version |