ITS Security Policy 100 - Change Control

Tags security

Tags: change management, risk, operations, audit
Status: Final Draft
Last Revision Date: April 29, 2025

Statement of Purpose

A Change Review Board (CRB) and a formal Change Management Process (CMP) are essential to maintaining the integrity, confidentiality, and availability of the production environment. All changes to production introduce potential risk. This policy ensures that software, hardware, and configuration modifications are appropriately reviewed, documented, tested, and approved to minimize disruption, prevent data loss, and uphold regulatory and institutional obligations.

Policy Summary

Clackamas Community College shall operate an Information Technology Services (ITS) Change Review Board (CRB) and maintain a formal Change Management Process (CMP). All non-routine changes to production systems shall be subject to documented review, risk assessment, and validation procedures. This policy supports alignment with regulatory and industry standards, including NIST, ISO/IEC 27001, PCI DSS, FERPA, and GLBA.

This policy shall be subject to and superseded by all applicable laws, regulations, and contractual obligations.

Policy

1. Scope and Governance

  • The CRB shall review and approve all proposed changes to production systems that fall outside the scope of routine operational maintenance.
  • Routine operational maintenance includes scheduled patches, antivirus updates, and standard backups that do not affect system configurations, security posture, or business functionality.

2. Change Management Process (CMP) Requirements

The CMP shall include the following core components:

  • Change Documentation

    • All change requests must be submitted through the college’s approved change request system.

    • Each request shall include:

      • Change description and business justification

      • Impact and risk assessment

      • Rollback/back-out procedures

      • Testing plan and validation results

      • Approving authority and implementation timeline

  • Approval and Authorization

    • All non-routine changes shall require approval from the designated CRB manager(s) prior to implementation.

    • Emergency changes may be implemented with expedited approval but must be documented and reviewed post-implementation.

  • Testing and Validation

    • Changes shall be functionally and, where feasible, security-tested prior to deployment.

    • Testing shall confirm that critical security controls (e.g., authentication, encryption) are not negatively impacted.

  • Post-Implementation Review

    • Significant changes shall undergo a Post-Implementation Review (PIR) to confirm the change succeeded and did not introduce unintended issues.

    • PIR findings shall be logged and, if needed, used to inform further process improvements.

  • Change Logging and Retention

    • All change activities, including approvals, test results, and rollback status, shall be logged.

    • Change records shall be retained in accordance with the college’s data retention policy and available for audit review.

3. Integration with Other Policies

  • Change control requirements for firewall, identity, or encryption systems must align with Policies 102 (Identity), 105 (Firewalls), and 109 (Encryption) respectively.

  • Changes involving systems containing regulated data (FERPA, GLBA, PCI) shall also adhere to applicable compliance control frameworks.

Exemptions

None.

Exceptions

Any exceptions to this policy must receive prior written approval from the Chief Information Officer (CIO). Emergency changes made to address imminent system failure or security incidents must be logged and subject to retrospective CRB review.

Print Article