9-4 Information Technology Professionals Policy -Section V: Change Management Policy
Return to Information Technology Professionals Policy Table of Contents
What’s on this Page
Section V: Change Management Policy
Read next: Section VI: Cryptography Policy
V. Change Management Policy
This Policy establishes requirements for the Local Information Service Provider’s change management process to ensure all changes are assessed, approved, implemented and outcome reviewed and to minimize impact of change related incidents to business operations and Users.
- Change Management
Local Information Service Providers must have a documented process to control changes to the Local Agency IT resources they support, including software, system documentation and operating procedures.
Change management includes the following documented processes and procedures:
- Risk assessments, an analysis of actual and potential impacts of changes, and necessary countermeasures or mitigation controls;
- Planning and testing of changes; including fallback (abort/recovery measures):
- Review for compliance with County/Local Agency security policies and Local Agency security requirements;
- Approval and authorization of changes;
- Appropriate notification of all affected parties prior to implementation, on the nature, timing, and likely impacts of the changes;
- Verification of changes to ensure the approved change was made, and to assess the post-implementation security state;
- Documentation and maintenance of change records for audit purposes and the investigation of security incidents; and
- Periodic review of the change management process for its effectiveness.