DTS POLICY 4000-0004
Document History
Next Review: September 2022
Reviewed Date: September 2021
Reviewed By: Ben Mehr
Authority: UCA §63A-16-104 et seq. (Utah Technology Governance Act), UCA §63A-16-206 et seq. (Rulemaking—Polices), UCA §63A-16-103 et seq. (Division of Technology Services Authority), UCA §63A-16-205 et seq. (Approval of Acquisitions of Information Technology)
Document Information
1.0 Purpose
This policy defines and establishes clear and concise standards for the DTS Change Management process and procedures.
1.1 Background
DTS established processes and procedures for Change Management in order to provide a central review and oversight of all systems, applications, infrastructure and technical environment changes. This document establishes policy to these procedures and processes for Change Management.
These practices include, but are not limited to, all DTS technical assets including, systems, applications, hardware, software, communication equipment, infrastructure and technical environmentals.
1.2 Scope
This policy applies to all employees and contractors within the Division of Technology Services. State agencies and administrative subunits of state government, as defined by UCA §63F-1-102(7), et seq., are required to abide by the provisions of this policy.
Because of the confidential data DTS supports and has access to, DTS Change Management must maintain effective rules and processes that optimize the reliability of the computer equipment and maintain security of data at all times.
When any production data or subset of production data is moved or copied to a development or test server or environment, the environment at that point will be considered a production system and requires compliance of the DTS Change Management policy, procedures and processes.
1.3 Exceptions
No exceptions.
2.0 Definitions
A
Accessibility – A functional security requirement used to determine how an information asset can be accessed.
Agency – For the purposes of this policy an executive branch agency is an agency or administrative subunit of state government as defined by UCA §63f-1-102(7), et seq
Authorized Information Users – Individuals, including employees, vendors, and visitors, who are given permission (authorization) to access state information assets.
Availability – A functional security requirement used to determine when an information asset must be accessible.
C
Change – The addition, modification or removal of anything that could have an effect on IT services, the scope should include all IT services, configuration items, and processes.
Change Management – an IT service management discipline. The objective of change management in this context is to ensure that standardized methods and procedures are used for efficient and prompt handling of all changes to control IT infrastructure, in order to minimize the number and impact of any related incidents upon service..
Change Management Committee – A group of employees assigned to the DTS Change Management process that cover multiple IT disciplines that will review each CR daily at 3:00 p.m. They will also conduct all change management meetings and produce reports out of central change management tracking systems.
Change Coordinators – DTS employees assigned the responsibility to represent an agency, campus, application or discipline in regards to DTS systems, applications, hardware, software, communication equipment, infrastructure and technical environmentals. They will coordinate with the group they represent and inform and report on the actions taken regarding DTS Change Management.
Change Types – Change types will be based on Risk Calculation in DTS approved Change Management system.
Routine Change – This is a Change Request (CR) that is submitted or an occurrence that is affecting the State network, applications, agency applications or websites that will have Configuration Item (CI) impact of Low or Medium Low and Urgency of Low or Medium. Based on the Risk Calculator it will have a priority of 5. These CR’s are sent through normal approval paths (Supervisor “notification only”, Change Coordinator and COTSCMC) tracked and information is disseminated to the DTS Change Coordinator Groups and other Interested parties (DTS Change email group).
Informational Change – This is a CR that is submitted or an occurrence that is affecting the State network, applications, agency applications or websites that will have CI impact of Low or Medium Low and Urgency of High, Medium or Low. Based on the Risk Calculator it will have a priority of 4. These CR’s are sent through normal approval paths (Supervisor “notification only”, Change Coordinator and COTSCMC) tracked and information is disseminated to the DTS Change Coordinator Groups and other Interested parties (DTS Change email group).
Standard Change – This is a CR that is submitted or an occurrence that is affecting the State network, applications, agency applications or websites that will have CI impact of Medium or Medium Low and Urgency of High, Medium-High, Medium or Medium-Low. Based on the Risk Calculator it will have a priority of 3. These CR’s are sent through normal approval paths (Supervisor “notification only”, Change Coordinator and COTSCMC) tracked and information is disseminated to the DTS Change Coordinator Groups and other Interested parties (DTS Change email group).
Emergency Change – (also known as Break Fix) This is a CR that is submitted during business hours as an emergency in a break/fix environment and needs to be completed within 24 hour period. CI impact of High or Medium High and Urgency of Critical or High. Based on the Risk Calculator it will have a priority of 2. These CR’s are NOT sent through normal approval paths (auto approval of Supervisor “notification only”, Change Coordinator) COTSCMC approves and it is put on the schedule and all others are notified via email notification. Email notification will include that the CRQ# is an Emergency
Mission Critical Change – (also known as After Hours Emergency Break Fix) This is a CR that is Not submitted during business hours, is an emergency in a break/fix environment and needs to be completed ASAP. CI impact of High and Urgency of Critical. Based on the Risk Calculator it will have a priority of 1. These CR’s are NOT sent through normal approval paths (auto approval of Supervisor “notification only”, Change Coordinator) COTSCMC auto approves and it is put on the schedule and all others are notified via email notification. Email notification will include that the CRQ# is an Mission Critical
Confidentiality – A functional security requirement used to determine how an information asset can be disclosed.
Confidential Information – For the purposes of this policy confidential information include, but are not limited to, financial, health, social-security, criminal, biometric, or any other personally identifiable information which, if inappropriately disclosed, could lead to a significant negative impact on the subject. Confidential information may also include information designated as confidential, private, and controlled or any other equivalent term within statute, rule, policy or regulation.
D
Disclosure – This is the disclosure of controlled, private, or protected information to any business entity or employee who does not have the right to receive the information.
G
Government Information Asset – Information that is prepared, owned, received, or retained by a governmental entity that in its original form is reproducible by mechanical or electronic means.
I
Integrity – A functional security requirement used to determine how an information asset can be altered, destroyed or modified.
P
Public Information Asset – A Department information asset that is not private, controlled, or protected and that is not exempt from disclosure as provided in the Utah Government Records Access and Management Act.
S
Separation of duties – A protocol or requirement which prohibits a single individual from executing all transactions within a set of transactions
Security Risk Assessment – The process of identifying risks to agency assets or agency operations (including mission, functions, image, or reputation) by determining the probability of occurrence, the resulting impact, and additional security controls that would mitigate the impact.
Sunrise Report – A management report utilized by DTS to review and establish the daily status of applications, systems and infrastructure managed by DTS.
V
Vulnerability Mitigations – The process of addressing vulnerabilities such that the risks posed are removed or reduced to acceptable levels. Examples include antivirus tools, anti-spyware tools, patch management, and manual configuration changes.
3.0 Policy
The following standards must be followed to provide reliable, secure and controlled systems, applications, hardware, software, communication equipment, infrastructure and technical environmental changes.
3.1 Standards
DTS established processes and procedures for Change Management in order to provide a central review and oversight of all systems, applications, infrastructure and technical environment changes. This document establishes policy to these procedures and processes for Change Management.
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.1.6
3.1.7
3.1.8
4.0 Process
DTS employee identifies need for Enterprise Change
- Login into DTS Service-Now application https://utah.service-now.com/navpage.do
- Select the menu option of Change – Create New from menu on the left side menu
- Complete all required fields on form including Risk questions
- Number = auto assigned
- Requested by = auto fill from UtahID login, also identifies Supervisor for 1st level approval
- Category = First Level of CMDB outline to help identify the (CI) Configuration Item
- Configuration Item = Entity you are changing in the DTS CMDB (if not available select “Request New CI” from top buttons)
- Urgency = Select from menu
- All auto filled (Impact, Priority, Risk, Approval Type, State and Duration)
- Assignment Group = Service Now assigned team to complete work (will receive email notification of assignment)
- Assigned To = Specific person in Assignment Group who will be assigned task to complete CRQ#
- Change Manager = Agency or Discipline assigned POC for all CRQ# in his/her area (Second line of approval)
- Summary = short description of what is being worked on and changed
- Description = longer text to describe in detail what and how you are doing that is identified in this change request.
- Watch list =
- Work notes list =
- Additional Comments =
- Planned Start Date/Time
- Planned End Date/Time
- Estimated Duration is calculated based on planned start and stop times
- Planning Documents
-
-
- Change Plan =
- Backout Plan =
- Test Plan =
- Select Save
- Run Risk Calculation
- Submit for Approval and Scheduling
-
- Approval path is as follows – 1. Supervisor “notification only” the selected Change Manager, then CM Team (COTSCMC) reviews CR’s for details on risk, impact, planning steps, testing and fall back plans.
- Service-Now Approval steps
- Not Yet Requested
- Requested
- Approved
- Rejected
- Assigned State(s)
- Pending
- Open
- Work in Progress
- Closed Complete
- Closed Incomplete