Change Management

Introduction

The production environment changes each day, and it is important that the changes users make be tracked to reduce risk and ensure the integrity of catalyst's products.

Scope

The addition, deletion, or alteration of state to the configuration, components, software or hardware in production. Additionally, the non- reversible alteration or deletion of customer data.

Roles

An Approver is the Business Owner who is accountable and responsible for a resource.

Requesters may request changes for their own accounts subject to the approval of the Business Owner, or they may be requesting a change for another account or system.

Operators are responsible for executing changes, but Operators do not have the authority to approve changes.

One individual should only fulfill two out the following three access roles: Requester, Operator, and Approver (Business Owner).

Policy

All changes in the production environment must follow the documented change process. Changes will be categorized with a system.

  • Standard Changes must have an approved and documented procedure with a well understood outcome and appropriate appreciation of risk. They are pre-qualified but not always pre-approved.
  • Normal Changes must follow the full Change Management Process. Normal changes must be individually approved by the Business Owner of the resource and may not be pre-approved.
  • Emergency Changes may be a Standard or Normal Change but will be on an accelerated timeline. Operators should always attempt to follow the full Change Management Process.

Appropriate review of changes shall be conducted with an appreciation of risk. Business Owners will use the review as grounds for approval. The Business Owner, upon review, can approve a documented procedure to transition the activity from a Normal to a Standard Change.

Compliance

Department Directors are responsible for the regular oversight of their department’s change participation and documentation.

Violations of the policy will be met with corrective action and carry the possibility of disciplinary action up to, and including, termination.

Exceptions

Exceptions are only expected for sensitive information within a Security Incident. Security Incident exceptions must be documented and approved by the Security Committee.

Colophon

Owner: Security and Compliance Committee

$Date: 2018-07-18 08:18:26 -0600 (Wed, 18 Jul 2018) $

$Revision: 468886 $

results matching ""

    No results matching ""