Technical Change Control Standard

PURPOSE

Standardized methods and procedures will be used to ensure appropriate planning, communication, testing, documentation and authorization for changes to Albright’s production information technology systems and applications.

DEFINITIONS

Enterprise Applications – Database systems that are a.) utilized by two or more departments or used to submit official data to state or federal agencies and b.) centrally backed up by Information Technology Services.

Departmental Applications – Database systems that are utilized by only one administrative or academic department and a failure of the system (loss of data integrity, disruption in system availability) does not present a significant risk to the accuracy or availability of critical administrative services to students, faculty, or administrators/staff.

SCOPE

Changes to Development and Test environments should be coordinated and communicated among ITS staff members as necessary, but are neither required nor intended to be documented in the ITS change control system.

Changes to Departmental Applications are not within the scope of this standard.

The following types of production system configuration changes and events are covered by this Standard and must be recorded and approved, as necessary, in the ITS Change Control Documentation System (CHAD).

Enterprise Application Changes:

  • Vendor software upgrades and patches to enterprise applications (such as PowerCampus, Millenium, Great Plains, PowerFAIDS, Housing Director, etc.)
  • Custom software programs that extract/export, import, exchange, integrate, add, update, or delete enterprise application data

User Sign-Off:

  • User acceptance and approval of all major enterprise application software changes, as described above.

Core Technology Related Changes:

  • Firewall configuration changes
  • LAN and WLAN configuration changes
  • Changes to Enterprise Directories or Group Policies
  • Exceptions to standard/normal ITS identity management account provisioning, de-activation or de-provisioning procedures
  • Configuration of a new production server (physical or virtual)

STANDARD

Enterprise Application Changes:

Enterprise Application changes to production systems will be made only after appropriate testing in a test instance.

All in-scope software related Enterprise Application change requests must be documented in the ITS change control system.  Each request must include the following:

  • A valid change category, product, module, and data domain
  • A complete description of the production change being requested
  • Vendor software version number or patch identification number
  • A description of completed testing activities and the date that testing was successfully completed
  • Documented user sign-off by the appropriate module/area Data Steward (as listed in Appendix A of the Administrative Data Management and Access Policy)
  • Technical approval by the Director, Enterprise Applications or the CTO
  • Appropriate succession of change request status changes (Requested/Open; Approved (need to determine appropriate methods for documenting both the approval of Data Stewards and ITS management); Completed.  Each status will have an effective date.

NOTE:  Emergency changes to Enterprise Applications may be authorized by the CTO without advance user acceptance/sign-off by the appropriate Data Steward.  However, emergency changes must be clearly documented as such in the Change Control System, and must fully describe the circumstances requiring exception based intervention.  Generally speaking, emergency changes are intended to address critical operational problems where delays are not considered tolerable due to significant risk to business continuity, data integrity, or data/system security.

User Sign-Off

Enterprise Application changes to production systems will be made only after appropriate testing in a test instance and the documentation of user acceptance/approval that certifies production readiness.

Each CHAD entry for user sign-off will include:

  • Documented user sign-off by the appropriate module/area Data Steward (as listed in Appendix A of the Administrative Data Management and Access Policy)
  • Each User Sign-off record will cross-reference the appropriate “Enterprise Applications” CHAD project, or issue, entry.

Core Technology Related Changes

All in-scope Core Technology related change requests must be documented in the ITS change control system.  Each request must include the following:

  • A valid category code
  • A complete description of the production change
  • Server name, if appropriate
  • Operating System, if appropriate
  • Other pertinent information, as relevant

APPROVALS/REVISIONS

Originally Approved by Chief Technology Officer, 3/1/2012

Revised and Approved to include Core Technologies, 5/10/2012

For a printable version of this policy, click here.