Change Management Policy​

Last Updated: December 2, 2020

 

Introduction

This document provides formally documented management expectations and intentions and is used to direct decisions and ensure consistent and appropriate development and implementation of processes, standards, roles, and activities.

The purpose of this policy is to ensure that any changes to PCMR Technology Environments are managed through an established process. PCMR will utilize the best practice framework (e.g., Information Technology Infrastructure Library [ITIL]) for the implementation of Change Management within the PCMR and client's Technology Environments.

Change Management is the process that control the life cycle of all changes, enabling beneficial changes to be made with minimum disruption to IT services.

The goals of the PCMR Change Management Policy include the following:

  • Establish and enforce a standard process for planning, approving, implementing, and reporting changes to PCMR Technology Environments.

  • Establish clearly defined best practice processes to ensure compliance with Payment Card Industry (PCI) and other legal or regulatory requirements.

  • Prevent or minimize risks to the PCMR Technology Environments as a result of a Change Request (CR) being implemented.

Scope

This policy applies to all PCMR personnel and contracted vendors involved in activities that cause or require changes to technology solutions within the PCMR Technology Environments.

IT environments designated by the PCMR Leadership Team, including, but not limited to, applications, data, network, platforms, databases, middleware services, computing facilities, and systems management are covered under this policy. The Change Management Policy and systems management are covered under this policy. The Change Management Policy also applies to the design, configurations, parameters, and documentation of those components. This document is used in conjunction with all IT and Security Policies, Processes, and Standards.

Policy Text

The following Policy is established for Change Management:

  • All PCMR supported organizations must use the current tool and documented change management process to prioritize, control, and approve all technology solution changes.

    • A CR is required for any change to the environment(s) that are subject to the policy as designated by the PCMR Leadership Team.​

    • The scope of an approved CR cannot be modified. If scope modification are needed, then a new CR is required.

    • Modifications may be needed to clarify or correct an approved CR. Modifying an existing approved change invalidates the existing approvals and then the CR is cancelled. A new CR is created.

    • A CR must be submitted for approval in a complete format with a defined scope as well as implementation date, time, and instructions.

    • CRs must be approved as stated in the Change Classification section of the Change Management Process.

    • CRs cannot be submitted more than 45 days before the planned implementation start date.

    • CRs cannot span more than 60 days between the implementation start and end date.

    • Individual CRs must be submitted for changes to each application. Exception (non-PCI systems): Operating System or Database patches or infrastructure changes being implemented across the entire platform.

    • As standard practice, Production changes are not scheduled and do not occur during core business hours.

      • Core business hours are defined as either:​

        • 6am CT to 9pm CT, Monday through Saturday, or​

        • Service-specific business hours (e.g., services that run or are primarily used at night)

      • However, for Production changes that must be scheduled during core business hours, if the application is a Business Critical Application, the change will require approval by either the requesting or implementing CR manager approval group or their designee.​

    • An Impact Analysis is required for all production environment changes.​

    •  Risk analysis for all changes will require description of:

      • Known or possible errors, failure, loss of service​

      • People, Groups, Organizations affected

      • Complexity constraints such as tight implementation window or dependency or SME

      • Risk for not implementing or postponing change

    • A back-out plan must be provided for each CR. A documented back-out plan providing established restoration procedures for Normal, Expedited, and Emergency CRs that impact the Production environment must be provided.​

    • All Configuration Item changes require updating the Change Management Database (CMDB) and must conform to the Configuration Management Policy and Standard.

  • Prior to gaining initial access to the Change Management tool, individuals must complete appropriate education that is designated for their Change Management role(s).​

  • All IT resources may request access to the current IT Service Management tool and the Change Management module as appropriate.

Exceptions​

Any requests for exceptions to this policy must be submitted in writing and will be reviewed on a case-by-case basis. Exceptions shall be permitted only after documented approval from the PCMR Leadership Team.

Policy Compliance and Monitoring​

CRs will be audited on a periodic basis by the Change Management team for policy compliance. The appropriate IT executive manager will be notified of any individual who violates the policy. The violation may be subject to review and further actions.

Products