Change Management

The information resources infrastructure at Prairie View A&M University is expanding and continuously becoming more complex. There are more people dependent on information resources being interconnected, upgraded and expanded (e.g., administrative systems and application programs). As the interdependency among information resources grows, the need for an effective change management process is essential. From time to time, information resources require a service disruption for planned upgrades, maintenance or fine tuning. Additionally, such activities may result in unplanned service disruptions. Managing these changes is a critical part of providing a robust and valuable information resource infrastructure. The goal of change management is to ensure that the intended purpose of the change is successfully accomplished, while eliminating or minimizing any negative impact to the users of the resources as a result of the change. Changes require serious forethought, careful monitoring, and follow-up evaluation to reduce the negative impact to the user community.

This procedure applies to University systems storing or processing mission critical and/or confidential information. The purpose of this procedure is to provide a set of measures that will mitigate information security risks associated with Change Management. The intended audience is information resource owners and information security administrators of University information resources that store or process mission critical and/or confidential information.

• Confidential Information: information that is excepted from disclosure requirements under the provisions of applicable state or federal law, e.g., the Texas Public Information Act.
• Information Resources (IR): the procedures, equipment, and software that are designed, employed, operated, and maintained to collect, record, process, store, retrieve, display, and transmit information or data.
• Custodian: The person (Information Security Administrators) responsible for implementing owner defined controls and access to an information resource.
• Change: a. any implementation of new functionality b. Any interruption of service c. Any repair of existing functionality and, d. Any removal of existing functionality.
• Mission Critical Information: information that is defined by the University or information resource owner to be essential to the continued performance of the mission of the University or department. Unavailability of such information would result in more than an inconvenience. An event causing the unavailability of mission critical information would result in consequences such as significant financial loss, institutional embarrassment, and failure to comply with regulations or legal obligations, or closure of the University or department.
• Owner of an Information Resource: an entity responsible for:
  • a business function (Department Head)
  • determining controls and access to information resources.

A consistent process is to be used for the implementation of information resource changes. The degree to which change management activities and processes are employed is dependant on the projected inherent risk of the change (i.e., potential for unplanned disruption of service, corruption/loss of data, or disclosure of confidential information resulting from the change implementation). Where appropriate, the process should include: preparation, notification/awareness, approval and documentation.

1. Preparation includes:

a. Review of previous similar changes and results in attempting to avoid any repetition of mistakes or negative impact

2. The determination of the following:

a. The best time/date for implementation (to minimize the impact to users)
b. The net impact to other systems or impact to normal operation during and following the change implementation (inherent risk)
c. The risk associated with the change implementation (to minimize the risk of disruption of service caused by the change)
d.    Ensuring that the changes do not negatively impact the overall system security

3. Notification/awareness a forum or notification process that informs users of changes planned for implementation. Typically, user notification may include email in addition to an announcement posted on the web.

4. Approval and audit of application/software changes includes

a. Review of the code revision to be implemented, which shall be performed by someone other than the developer
b. Approval of the implementation of code revision performed by someone other than the developer
c. Review of logs for previous change implementations.

5. Documentation includes any issues identified during the preparation phase that require special considerations or a revision to the implementation plan.

a.     Change details for documentation include:

1. Date/time of change
2. Expected duration or length of time required to implement the change
3. Nature of the change (a brief description of the net effect)
4. Developers name (when applicable) for the modification if newly developed or modified code is involved;
5. implementers name of the modification
6. An indication of successful or unsuccessful completion of the change
7. An analysis and lessons learned (corrective/preventative actions) for changes that deviated unexpectedly from the plan, resulted in an unplanned disruption of service, corruption of data, or disclosure of confidential information.