REG - 70.00.3 ITS Change Management Regulation
This document provides guidance regarding change management for NCCU ITS networks, systems and services. The change is defined as an alteration to software, hardware, or another aspect of the school’s IT environment.
Change Management helps organizations understand and work to minimize risks of changes to the IT environment. It assists in managing the people/communication and technical aspects to ensure that changes are planned, have been tested, have included key stakeholders, have back out plans, have a clear understanding of the impact, have appropriate communication strategy and have been approved prior to implementation.
3.1 These guidelines apply to all employees, contractors, consultants, temporaries, and other workers at NCCU, including those workers affiliated with third parties who require access to NCCU information systems at all locations.
3.2 The specific objectives of applying a change management system are to:
3.2.1 Minimize risks during change;
3.2.2 Provide a change communication process;
3.2.3 Reduce the number of emergency/urgent/unplanned changes by developing a calendar and schedule for maintenance/downtime; and
3.2.4 Ensure that proper change management steps occur with proper documentation, testing and signoffs.
3.3 Basic Procedures for Change Management
The basic procedures for change management include the following:
3.3.8 Report and Control
3.4 Request for Change (RFC)
3.4.1 A change request can be the result of one of the following:
18.104.22.168 Problem management where an issue, or a series of related issues, is identified and a mitigating change is necessary to prevent (or minimize) future effects;
22.214.171.124 Results of a business decision that will require some modification (add, delete, change) to the supporting technology; and/or
126.96.36.199 Due to outside influences (i.e. governmental regulations or changes made by business partners).
3.4.2 All changes must be linked to an incident/ticket or project NO change request should be submitted verbally unless it is an emergency (with written approval and documentation submitted after the fact).
3.5 Documentation and Review of Change
3.5.1 Once a change request is in place, the change management team (CMT) must review the change request with as much information as possible in order to assess the requested change fully. The CMT consists of the IT Executive Leadership and others as needed (see page three). Its function is to review the change from a process and governance standpoint to assure that all foreseeable risks have been identified and mitigated, and that plans are in place for any problems that may arise.
3.5.2 Information that should be included in the change request that will be used to inform the decision:
188.8.131.52 Requested change
184.108.40.206 Technical Lead
220.127.116.11 Build, test, review dates
18.104.22.168 System/Application/Service affected
22.214.171.124 Type - Selects a type of change, which triggers an appropriate workflow. Out-of-box, these choices are:
126.96.36.199.1 Routine - low-impact, commonly performed the change.
188.8.131.52.2 Comprehensive - high impact change with a more complex procedure.
184.108.40.206.3 Urgent – can’t wait for weekly meeting
220.127.116.11.4 Emergency - high impact change, created in response to a critical situation.
18.104.22.168.5 Risk – what is the risk if the change isn’t done and to making the change.
22.214.171.124.6 Impact – what is the campus impact of making or not making the change; who are the affected customers of the change as well as the impact of any system/service outage.
126.96.36.199.7 Affected systems/dependencies –what other systems/dependencies will be impacted as a result of this change.
188.8.131.52.8 Communication strategy – if needed for large impact changes
184.108.40.206.9 Schedule - Includes a requested by date, a planned start and end time, and work start and end dates. This includes any post implementation testing needed by the end users across campus
220.127.116.11.10 Testing sign off for pre and post implementation by all affected parties
18.104.22.168.11Back out Plan – what is the plan to return to the previous state
22.214.171.124 Additional information as needed/requested
3.6 Updating/Closing an RFC
Once a Change has been approved, the requestor/technical lead is responsible for updating the RFC.
3.6.1 Roles and Responsibilities
The individual requesting the change is responsible for:
126.96.36.199.2 ensuring that the appropriate testing has been completed and signed off
188.8.131.52.3 verifying to ITS that the key stakeholders have been informed and also signed off on the request
184.108.40.206.4 identifying the existing project or ticket connected to the change request
220.127.116.11.5 working with ITS on an appropriate back out a strategy
18.104.22.168.6 certifying once the change is complete that the change was successful and if not work with ITS on remediation/back out
22.214.171.124 Technical Contact(s)
These individuals (both in ITS and functional areas) are responsible for:
126.96.36.199.1 coordinating alone with the requester to complete request documentation
188.8.131.52.2 understanding the impact of the change
184.108.40.206.3 ensuring that key stakeholder has been informed and in agreement
220.127.116.11.4 ensuring that the necessary ITS resources are available on requested implementation date
18.104.22.168 Work Groups
Work Groups are responsible for implementing changes assigned to them once the change has been approved. The work group may be similar to the Technical Contact(s) and has the same responsibilities.
22.214.171.124 Change Management Team
The Change Management Team consists of the following people:
126.96.36.199 Chief Information Officer (or designee),
188.8.131.52 Director of Networks and Systems
184.108.40.206 Director of Enterprise Information Systems,
220.127.116.11 Director of Audit Compliance and Business Continuity,
18.104.22.168 Director of Client Services
22.214.171.124 Director Classroom Computer and Events
126.96.36.199 Director Web Services
188.8.131.52 Other ITS or Campus Department Representative(s) as needed.
3.6.2 Governance of Change Management
184.108.40.206 Change Management Team
The Change Management Team will review each request based on the criteria listed above and approve requested a change and schedule or ask the technical lead to gather more information from the requester.
220.127.116.11 Enterprise Systems Council (ESC)
This council is responsible for assisting ITS in determining scheduled maintenance windows and planning for major upgrades. The coordination of these upgrades is critical to maintaining quality service to the campus.
18.104.22.168 Change Management Meetings
22.214.171.124.1 These meetings can be held weekly or as needed. A member of the ESC will be invited to a change management meeting as necessary. The purpose of the meeting is to:
126.96.36.199.1.1 Bring all required parties together to assess the feasibility of implementing the change and provide status.
188.8.131.52.2.1 To review the status of all open changes, schedule for the current and upcoming weeks.
184.108.40.206.3.1 Discuss high impact changes.
220.127.116.11.4.1 Approve or disapprove each change as well as the Change Schedule.
18.104.22.168.2 Meeting Attendees
22.214.171.124.2.1 Change Management Team members
126.96.36.199.2.2 Other Department Representative(s) as needed
188.8.131.52 Approving the Change
A majority of the CMT must be present and approve a change for the request to move forward. Otherwise, the change will be held until such time as a majority has met and approved. Any member of the CMT can hold a change if a significant concern is made. The technical contact will be notified to gather additional information to address any concerns.
184.108.40.206 Monthly Report
The monthly report consists of charts showing the number of changes submitted during the month by category (i.e. high, medium and low risk), the number of problems caused by changes and the process measurements for the month.
220.127.116.11 Additional Meetings
Post-mortems will be convened on an "as needed" basis. It will be held for changes resulting in significant problems to determine what, if anything went wrong and how any such problems can be prevented in the future.
18.104.22.168 Campus Communications
If the change has a broad impact, communications will go out to the entire campus and/or appropriate parties by email and/or web posting. Communications will be coordinated through the CMT and project/technical leads.
4. Rule Enforcement
This requested changes will always go into effect with 24 hours when seen fit for security reasons. Any or all person(s) or department(s) who will be effected by the change will receive an emergency email from "firstname.lastname@example.org." If there are reasons for changes or updates, but there are no immediate risks, a minimum of 7 days will be provided before the change management will go into effect after the announcement of the changes are made.