Main Menu Dept. of Technology Services Search

Search

Change Management Policy

DTS POLICY 4000-0004

Document History

Next Review: April 2020
Reviewed Date: April 2019
Reviewed By: Russell Smith, DTS Data Center Manager
Authority: UCA §63F-1-104 et seq. (Utah Technology Governance Act), UCA §63F-1-206 et seq. (Rulemaking—Polices), UCA §63F-1-103 et seq. (Department of Technology Services Authority), UCA §63F-1-205 et seq. (Approval of Acquisitions of Information Technology)

Document Information

Last Revised: May 12, 2014

Effective Date: April 24, 2012

Submitted By: Russell Smith

Approved By: Michael Hussey

Section/Group: IT

1.0 Purpose

This policy defines and establishes clear and concise standards for the DTS Change Management process and procedures.

1.1 Background

DTS established processes and procedures for Change Management in order to provide a central review and oversight of all systems, applications, infrastructure and technical environment changes. This document establishes policy to these procedures and processes for Change Management.

These practices include, but are not limited to, all DTS technical assets including, systems, applications, hardware, software, communication equipment, infrastructure and technical environmentals.

1.2 Scope

This policy applies to all employees and contractors within the Department of Technology Services. State agencies and administrative subunits of state government, as defined by UCA §63F-1-102(7), et seq., are required to abide by the provisions of this policy.

Because of the confidential data DTS supports and has access to, DTS Change Management must maintain effective rules and processes that optimize the reliability of the computer equipment and maintain security of data at all times.

When any production data or subset of production data is moved or copied to a development or test server or environment, the environment at that point will be considered a production system and requires compliance of the DTS Change Management policy, procedures and processes.

1.3 Exceptions

No exceptions.

2.0 Definitions

A

Accessibility – A functional security requirement used to determine how an information asset can be accessed.

Agency – For the purposes of this policy an executive branch agency is an agency or administrative subunit of state government as defined by UCA §63f-1-102(7), et seq

Authorized Information Users – Individuals, including employees, vendors, and visitors, who are given permission (authorization) to access state information assets.

Availability – A functional security requirement used to determine when an information asset must be accessible.

C

Change – The addition, modification or removal of anything that could have an effect on IT services, the scope should include all IT services, configuration items, and processes.

Change Management – an IT service management discipline. The objective of change management in this context is to ensure that standardized methods and procedures are used for efficient and prompt handling of all changes to control IT infrastructure, in order to minimize the number and impact of any related incidents upon service..

Change Management Committee – A group of employees assigned to the DTS Change Management process that cover multiple IT disciplines that will review each CR daily at 3:00 p.m. They will also conduct all change management meetings and produce reports out of central change management tracking systems.

Change Coordinators – DTS employees assigned the responsibility to represent an agency, campus, application or discipline in regards to DTS systems, applications, hardware, software, communication equipment, infrastructure and technical environmentals. They will coordinate with the group they represent and inform and report on the actions taken regarding DTS Change Management.

Change Types – Change types will be based on Risk Calculation in DTS approved Change Management system.

Routine Change – This is a Change Request (CR) that is submitted or an occurrence that is affecting the State network, applications, agency applications or websites that will have Configuration Item (CI) impact of Low or Medium Low and Urgency of Low or Medium. Based on the Risk Calculator it will have a priority of 5. These CR’s are sent through normal approval paths (Supervisor “notification only”, Change Coordinator and COTSCMC) tracked and information is disseminated to the DTS Change Coordinator Groups and other Interested parties (DTS Change email group).

Informational Change – This is a CR that is submitted or an occurrence that is affecting the State network, applications, agency applications or websites that will have CI impact of Low or Medium Low and Urgency of High, Medium or Low. Based on the Risk Calculator it will have a priority of 4. These CR’s are sent through normal approval paths (Supervisor “notification only”, Change Coordinator and COTSCMC) tracked and information is disseminated to the DTS Change Coordinator Groups and other Interested parties (DTS Change email group).

Standard Change – This is a CR that is submitted or an occurrence that is affecting the State network, applications, agency applications or websites that will have CI impact of Medium or Medium Low and Urgency of High, Medium-High, Medium or Medium-Low. Based on the Risk Calculator it will have a priority of 3. These CR’s are sent through normal approval paths (Supervisor “notification only”, Change Coordinator and COTSCMC) tracked and information is disseminated to the DTS Change Coordinator Groups and other Interested parties (DTS Change email group).

Emergency Change – (also known as Break Fix) This is a CR that is submitted during business hours as an emergency in a break/fix environment and needs to be completed within 24 hour period. CI impact of High or Medium High and Urgency of Critical or High. Based on the Risk Calculator it will have a priority of 2. These CR’s are NOT sent through normal approval paths (auto approval of Supervisor “notification only”, Change Coordinator) COTSCMC approves and it is put on the schedule and all others are notified via email notification. Email notification will include that the CRQ# is an Emergency

Mission Critical Change – (also known as After Hours Emergency Break Fix) This is a CR that is Not submitted during business hours, is an emergency in a break/fix environment and needs to be completed ASAP. CI impact of High and Urgency of Critical. Based on the Risk Calculator it will have a priority of 1. These CR’s are NOT sent through normal approval paths (auto approval of Supervisor “notification only”, Change Coordinator) COTSCMC auto approves and it is put on the schedule and all others are notified via email notification. Email notification will include that the CRQ# is an Mission Critical

Confidentiality – A functional security requirement used to determine how an information asset can be disclosed.

Confidential Information – For the purposes of this policy confidential information include, but are not limited to, financial, health, social-security, criminal, biometric, or any other personally identifiable information which, if inappropriately disclosed, could lead to a significant negative impact on the subject. Confidential information may also include information designated as confidential, private, and controlled or any other equivalent term within statute, rule, policy or regulation.

D

Disclosure – This is the disclosure of controlled, private, or protected information to any business entity or employee who does not have the right to receive the information.

G

Government Information Asset – Information that is prepared, owned, received, or retained by a governmental entity that in its original form is reproducible by mechanical or electronic means.

I

Integrity – A functional security requirement used to determine how an information asset can be altered, destroyed or modified.

P

Public Information Asset – A Department information asset that is not private, controlled, or protected and that is not exempt from disclosure as provided in the Utah Government Records Access and Management Act.

S

Separation of duties – A protocol or requirement which prohibits a single individual from executing all transactions within a set of transactions

Security Risk Assessment – The process of identifying risks to agency assets or agency operations (including mission, functions, image, or reputation) by determining the probability of occurrence, the resulting impact, and additional security controls that would mitigate the impact.

Sunrise Report – A management report utilized by DTS to review and establish the daily status of applications, systems and infrastructure managed by DTS.

V

Vulnerability Mitigations – The process of addressing vulnerabilities such that the risks posed are removed or reduced to acceptable levels. Examples include antivirus tools, anti-spyware tools, patch management, and manual configuration changes.

3.0 Policy

The following standards must be followed to provide reliable, secure and controlled systems, applications, hardware, software, communication equipment, infrastructure and technical environmental changes.

3.1 Standards

DTS established processes and procedures for Change Management in order to provide a central review and oversight of all systems, applications, infrastructure and technical environment changes. This document establishes policy to these procedures and processes for Change Management.

3.1.1

Tight restrictions and controls are implemented within the DTS Change Management Processes. The primary objective is to catch potential outages and problems upstream before they impact production systems and environments. DTS will capture documentation of all changes in a central change management system.

3.1.2

All changes (including agency and contractor application development deployments) are required to go through the DTS Change Management Process

3.1.3

Change Requests (CR’s) will be reviewed daily at 3:00 pm and scrutinized by the Change Management Committee for details on risk, impact, planning steps, testing and fall back plans. Change Coordinators must approve CR’s prior to daily review and placed on official DTS Change schedule.

3.1.4

Status on scheduled CR’s will be reported in daily Sunrise Report. Attendance at daily Sunrise meeting is required for change submitters or coordinators the morning after CR was scheduled to be completed. Calling into the meeting will be considered in attendance. Sunrise meeting phone # is 801 538-1711.

3.1.5

All DTS Change Coordinators must be involved and pay attention to details and raise questions that would affect their area of coverage. The weekly reviews are held on Thursdays at 8:30 am in DTS conference room 6100 or via Phone Bridge at-1-877-820-7831 meeting code 591393#.

3.1.6

DTS Change Management has a page on the DTS website containing policy, procedures, process flowchart, required forms, reports, committee makeup and meeting minutes.

3.1.7

Agency application changes are included in the DTS Change Management process. Application development teams may continue to have agency change processes but must submit all changes to the DTS Change Management process as well.

At any time that any production data or subset of production data is moved or copied to a development or test server or environment, the environment is considered to be a production system and requires complete oversight of the DTS Change Management policies, procedures and processes.

3.1.8

Each application development team, campus, agency or environment is required to have a primary and backup DTS Change Coordinator that has read and understands the role and follows the procedures outlined on the DTS Change Management website.

4.0 Process

DTS employee identifies need for Enterprise Change

Login into DTS Service-Now application https://utah.service-now.com/navpage.do
Select the menu option of Change – Create New from menu on the left side menu
Complete all required fields on form including Risk questions
- Number = auto assigned
- Requested by = auto fill from UMD login, also identifies Supervisor for 1st level approval
- Category = First Level of CMDB outline to help identify the (CI) Configuration Item
- Configuration Item = Entity you are changing in the DTS CMDB (if not available select “Request New CI” from top buttons)
- Urgency = Select from menu
- All auto filled (Impact, Priority, Risk, Approval Type, State and Duration)
- Assignment Group = Service Now assigned team to complete work (will receive email notification of assignment)
- Assigned To = Specific person in Assignment Group who will be assigned task to complete CRQ#
- Change Manager = Agency or Discipline assigned POC for all CRQ# in his/her area (Second line of approval)
- Summary = short description of what is being worked on and changed
- Description = longer text to describe in detail what and how you are doing that is identified in this change request.
- Watch list =
- Work notes list =
- Additional Comments =
- Planned Start Date/Time
- Planned End Date/Time
- Estimated Duration is calculated based on planned start and stop times
- Planning Documents

- - Change Plan =
  - Backout Plan =
  - Test Plan =
- Select Save
- Run Risk Calculation
- Submit for Approval and Scheduling

Approval path is as follows – 1. Supervisor “notification only” the selected Change Manager, then CM Team (COTSCMC) reviews CR’s for details on risk, impact, planning steps, testing and fall back plans.
- Service-Now Approval steps
- Not Yet Requested
- Requested
- Approved
- Rejected
- Assigned State(s)
- Pending
- Open
- Work in Progress
- Closed Complete
- Closed Incomplete

6. Change number is assigned and CR is placed on Change Schedule

7. Change Schedule is sent out to Change Coordinators for review

8. Weekly Change Management meeting is held with Change Coordinators and CM Team for approval and scheduling

9. Technician completes work and tests changed environment and reports status in Service Now to Task assigned from CRQ#

10. Change Coordinator provided input on completed/failed changes at daily status meeting

11. Change Manager produces report for DTS management.

Link to more information about Change Management.