Introduction:
Effective change management policies for information technology (IT) are critical for ensuring that changes are made in a controlled and consistent manner, minimizing the risk of errors, system failures, and security breaches. This policy will outline the steps that need to be taken to manage changes to IT systems manually.
Purpose:
The purpose of this policy is to establish a standard process for managing changes to IT systems manually. This policy ensures that any changes to IT systems are documented, tested, and approved before being implemented to reduce the risk of errors, outages, and data breaches.
Scope:
This policy applies to all personnel who are responsible for managing changes to IT systems manually.
Policy:
-
Request for Change: Any proposed changes to IT systems should be documented and submitted as a request for change (RFC) form. The RFC should include the following information:
- The reason for the change
- The impact of the change
- The expected outcome of the change
- The testing and rollback plan
-
Types of Changes:
- Standard Change: Changes that usually occur at regular intervals which are pre planned, pre-approved and have a low risk, low impact and don’t require cab approval are called standard changes. (For eg. OS Upgrade)
- Minor Change: Changes that don’t have a major impact, which is less risky and undergo every stage in a change lifecycle including CAB approval are called minor changes. (For eg. Website changes)
- Major Change: Changes that can have medium to high impact on ongoing business operations and may have financial implications which require CAB approval, as well as management approval, are called major changes. (For eg. Migration from one data center to another)
- Emergency Change: Changes that need immediate fixes and Emergency CAB approval where the review is completed later to avoid potential risks are called emergency changes. (For eg. Security Patch)
- Change Advisory Board (CAB): A change advisory board (CAB) consisting of technical experts and business stakeholders will review all RFCs. The CAB will assess the impact of the change on the system, business processes, and the potential risk of implementing the change. The CAB will approve or reject the RFC based on the assessment.
-
Change Management Plan: The change management plan should include the following:
- The scope of the change
- The timelines for the change
- The testing plan
- The back-out plan in case the change is unsuccessful
- The communication plan
-
Testing: Before implementing any change, a testing plan should be executed. The testing should include:
- Unit testing to ensure the change works as expected
- Integration testing to ensure the change does not impact other IT systems
- User acceptance testing (UAT) to ensure the change meets business requirements
-
Implementation: Once the change has been tested and approved, it can be implemented. Implementation should be carried out in the following manner:
- Communicate the change to all stakeholders
- Implement the change outside of business hours to minimize impact on operations
- Monitor the change for any issues or errors
-
Review: After the change has been implemented, a post-implementation review (PIR) should be conducted. The PIR should include the following:
- Assessment of whether the change met the desired outcome
- Assessment of whether the change impacted business processes or IT systems negatively
- Lessons learned for future changes
-
Documentation: All changes should be documented and tracked. This documentation should include:
- The RFC form
- The change management plan
- The testing plan and results
- The PIR
Conclusion:
This policy provides a standard process for managing changes to IT systems manually. The policy ensures that all changes are tested, approved, and documented to minimize the risk of errors, outages, and data breaches. All personnel responsible for managing changes to IT systems should follow this policy.