Standard and Process
The change control process should include written requests from authorized individuals. The request should include a description of the change, business or operations reason for change, stakeholders, operational impact, target date for change, scope of work involved and a rollback procedure. The process should include who reviews the change and approves or denies the change in whole or in part.
Colleges and administrative units are responsible for designating the appropriate organizational level, scope, and methodology used for change control.
IT staff are responsible for working with users, data owners and service directors to develop change control plans for University resources.
Users, data owners and service directors are responsible for working with IT staff to understand and follow the change control process.
- This standard is based on the principles of ISO/IEC 27002:2005.
Document Owner: University Information Security
Document Approvers: Brian Dahlin, Chief Information Security Officer; Patton Fast, University Enterprise Architect
Effective Date: August 2010
Last Reviewed Date: November 2014