Infrastructure Security Office (ISO) Change Management Process

Owned by Benjamin Hartung
Last updated: Aug 15, 2024 by Daniel LaGrow
2 min read

Change Management Process

Definition of Change

Anything that goes into Production is a change. A production system is any system that end users rely on for business and educational purposes. Changes are locked down once submitted for review

Peak Hours

 

Student Workers

Staff

Faculty

 

Student Workers

Staff

Faculty

Week Days

7:00am - 10:00pm

7:00am - 5:00pm

7:00am - 10:00pm (during Fall/Spring Semester)

Weekends

10:00am-3:00pm (during Fall/Spring Semester)

Not Available

Not Available

Change Freeze

Registration

  • Fall Semester - Last week of Summer before Fall semester starts first week of school.

  • Spring Semester - First week of school

Pre-approved Downtimes

  • 4-7AM on Wednesday Saturday morning 6AM - 10AM

  • Scheduled down-time, documented

Communication Channels

Stakeholders should be notified.

  • STUDENTS - no op out

  • FACULTY/STAFF - no opt out

  • INTERNAL IT - No opt out, every change is sent here Listed online

CAB

  • Service managers, Steve direct report

  • Business manager for the service that is impacted Charter- high/medium

  • CAB meets once per week (in person, online, or speaker phone)

  • Medium risk change goes through one cab lead time/approval, before it goes into production. 1 Application or 50% or less of population

  • High risk - multiple applications and 50% or more of population change goes through 2 cabs, Before it goes into prod, communication with preliminary approval.

  • Tuesdays at 2pm

CAB Process

  1. All changes submitted and approved by manager by deadline for each meeting (Mondays at 2pm). Changes can’t be made to submission after the deadline.

  2. Submissions emailed to CAB within timeframe for meeting (3 days for low, 5 days for medium, 11 days for high)

  3. CAB has authority to approve and reject Chair - Steve, John is Administrator

  4. Changes are approved by consensus vote. If someone disapproves a change we want to do, we table that change. No anonymous votes are allowed. All concerns must be mitigated for approval.

  5. Cab has the authority,

  6. The CAB agenda is the list of changes for discussion. The results of each discussion will be documented and shared online.

CAB has the authority to handle change violations.

  • First violation, CAB will address in an email.

  • 2nd one is a re-training on process.

  • 3rd one is access removal.

Types of Change

Low Risk Change

  • Effects small population (one department)

  • Independent system

  • No integration with other systems

  • Flexible implementation timeline

  • Minimum 3 days prior notice

  • Manager and CAB notified. If no objections, CIO approval

  • Posted as “Info Only” on public change board

Medium Risk Change

  • Must be discussed and approved by CAB in a meeting

  • Minimum 5 business days notice

  • Affects larger population, more than one unit, but less than 50% of campus users

  • Potential to affect other systems

  • Important to business practices

High Risk Change

  • Must be discussed at 2 CAB meetings, approved at 2nd meeting

  • Minimum 11 business days notice

  • Affects multiple systems

  • Affects more than 50% of campus users, multiple types of stakeholders

  • Critical to university operations or teaching practices

Emergency Change

  • System is down that is critical to business or teaching practices

  • Issue is believed to be resolvable with a reboot

  • Change request form is completed afterwards, the same business day as reboot

  • CAB is notified, change is added to online change log

Pre-approved Change

  • Standard Operating Procedures (SOP) are approved by CAB

  • SOP includes communication planning and change time parameters

Practices

  • Disable back-ups during change window

  • Make a snapshot or clone prior to change

  • No changes made during freeze period

  • No changes made during peak hours