GDL-3000.07H: Change and Release Management Guideline

Guideline Summary

Intended Audience: University personnel responsible for managing University computing and networking devices 

Guideline Owner: Director of Information Security

Introduction

Effective change and release management procedures help ensure that any changes to the University’s IT systems are done in such a way as to minimize risk to production systems and to ensure users are prepared for and aware of the changes.

Scope

The Change and Release Management Guideline is applicable to any change that carries substantial risk or that has enterprise or broad impact.

Change and Release Management Procedure Requirements

The University should implement Change and Release Management procedures that:

  1. Ensure duties and areas of responsibility are segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the University’s IT assets.
  2. Ensure computing environments (e.g. production, test, development) are separated to reduce the risks of unauthorized access and changes to the production systems.
  3. Ensure suitable system tests are carried out in testing and/or pre-production environments and prior to acceptance.
  4. Are tailored to the type of change (Standard, Normal or Emergency Change).
  5. Require a communication plan for each change that impacts users.
  6. Require documentation for each change.

 

For the complete guideline, click "Full Document" tab at top of page.

Full Document

Intended Audience: University personnel responsible for managing University computing and networking devices 

Guideline Owner: Director of Information Security

1. Definitions

Change Management

The process by which changes are recorded, evaluated, authorized, prioritized, planned, tested, implemented, documented, and reviewed in a controlled manner. Change Management processes ensure that standardized methods are used for the efficient and prompt handling of all changes and that overall business risk is minimized.

Emergency Change

Changes that must be done quickly due to a serious threat or service interruption. Examples include zero-day vulnerability patches or enterprise system failure fixes.

Normal Change

Any changes that cannot be classified as an Emergency Change or Standard Change. Examples include application software upgrades or application configuration changes.

Standard (pre-authorized) Change

Changes done on a regular schedule and/or in a repetitive manner. Examples are the installation of monthly Microsoft operating system patches or a test database refresh. These changes do not require approval from the Change Advisory Board, but they must be documented. Customers must be notified if there is the potential for service interruptions.

Release Management

The process of managing, planning, scheduling, and communicating a system or application change. Release Management occurs after changes are approved.

2. Introduction

OCIO 141.10: 8.1

Effective Change and Release Management procedures help ensure that any changes to the University’s IT systems are done in such a way as to minimize risk to production systems and to ensure users are prepared for and aware of the changes.

3. Scope

The Change and Release Management Guideline is applicable to any change that carries substantial risk or that has enterprise or broad impact.

4. Change and Release Management Procedure Requirements

The University should implement Change and Release Management procedures that:

  1. Ensure duties and areas of responsibility are segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the University’s IT assets.
  2. Ensure computing environments (e.g., production, test, development) are separated to reduce the risks of unauthorized access and changes to the production systems.
  3. Ensure suitable system tests are carried out in testing and/or pre-production environments and prior to acceptance.
  4. Are tailored to the type of change (Standard, Normal, or Emergency Change).
  5. Require a communication plan for each change that impacts users.
  6. Require documentation for each change.

5. Authority

  1. University policy POL-U3000.07 - Securing Information Systems
  2. Washington State Office of the Chief Information Officer (OCIO) 141.10 – Securing Information Technology Assets Standards

6. References

  1. NIST SP 800-171 Rev. 2 - Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Change Log

Revised

Version

Author

Approver

Change

06/18/2021

1.0

Beth Albertson

ITS Standards & Guidelines Committee

Original Version