Security Policy Goals [Link] (to be replaced once this article is in the KB)
Statement of purpose
A Change Review Board (CRB) and Change Management Process (CMP) are necessary to ensure the integrity and availability of the production environment. All changes to production introduce risk and this policy ensures that software and system configuration changes are reviewed and verified prior to implementation.
Scope statement
This policy applies to user-facing CCC production systems and operating environments. Accountable and responsible individuals are the CIO and ITS operations management. For CCC systems supported and maintained by third parties, such parties are also subject to this policy.
Policy summary
CCC shall operate an (ITS) Change Review Board (CRB) and enact an Information Technology Services Change Management Process (CMP).
This policy shall be subject to and superseded by applicable regulations and laws.
Policy
- The CRB shall review and approve proposed changes to system components in the production environment (outside the scope of typical operational maintenance).
- The CMP shall include steps for reviewing the impact of changes and identifying risks.
- The CMP shall include descriptions of back-out procedures, and shall require approval from appropriate CRB managers.
- In addition to functional validation, security features shall be tested (as feasible) with each change to ensure security features are properly functioning and are not impacted by the change.
Exemptions
None
Exceptions to this policy must be pre-approved in writing by the Chief Information Officer (CIO).
Policy violation [Link](to be replaced once this article is in the KB)
Complaint procedures [Link](to be replaced once this article is in the KB)
Governing standards, policies, and guidelines [Link]
Definitions [Link](to be replaced once this article is in the KB)
Responsible executive
Chief Information Officer
Last revision date
07-26-2023 srw