Standard and Process
See the specific requirements in the Change Management Standard in the University Policy library. The following supplements the requirements in University policy.
Change control documentation should include:
- written requests from authorized individuals;
- description of the change;
- business or operations reason for change;
- operational impact;
- verification that information security requirements are met;
- target date for change;
- scope of work involved;
- rollback procedure.
The process should include who reviews the change, approves, or denies the change in whole or in part.
For emergency changes, develop, and follow a process to enable quick and controlled implementation of changes needed to resolve an incident.
Colleges and administrative units are responsible for designating the appropriate organizational level, scope, and methodology used for change control.
Technical staff are responsible for working with users, data owners, data custodians, and service owners to develop change control plans for University resources.
Users, data owners, data custodians, and service owners are responsible for working with Technical staff to understand and follow the change control process.
See the Information Security policy appendices for additional information security standards that also apply.
- This standard is based on the principles of ISO/IEC 27002:2013.
- Technology Portfolio
Document Owner: University Information Security
Document Approvers: Brian Dahlin, Chief Information Security Officer; Bernard Gulachek, VP of Information Technology and Chief Information Officer
Effective Date: August 2010
Last Reviewed Date: May 2019