Change management policy and detailed procedure
Policy summary
This policy lays out cost-effective information security arrangements for managing and controlling changes to AADF business processes and/or the supporting IT systems, networks, configurations etc., in order to minimise the organisation’s information risks.
Applicability
This policy applies throughout the AADF as part of the governance framework. It is particularly relevant to changes affecting main IT systems/networks/services and critical business processes. It also applies to changes on less important IT systems/networks and processes including those shared within workgroups or developed and used by individuals. This policy also applies to third-party employees working for the organisation whether they are explicitly bound (e.g. by contractual terms and conditions) or implicitly bound (e.g. by generally held standards of ethics and acceptable behaviour) to uphold our information security policies.
Policy detail
Background
Virtually all changes are associated with risks to varying extents, while sometimes failing to change or delaying changes can also be risky (e.g. not responding to new compliance obligations or emerging information security threats). Badly managed or uncontrolled changes, especially those involving major corporate IT systems/networks and critical business processes, can cause disruption, lead to system/network/process/service failures, introduce information security vulnerabilities or expose the organisation to different threats, data corruption and increase costs. Unwise or mismanaged changes may threaten the organisation’s efficiency, effectiveness, compliance and ultimately its survival.
Policy axioms
- Changes to management systems, business processes and the associated IT systems, networks, applications etc. must be competently planned, managed, directed and controlled to minimise information risks.
- The extent and nature of management control should reflect the degree of risk inherent in the changes.
- Changes must fulfil any compliance obligations imposed by the laws, regulations and contractual obligations, and conform with applicable policies and standards in effect at the time of implementation.
Detailed policy requirements
- Anyone making changes to business processes and/or the associated IT systems/networks must follow the organisation’s change management and control processes, including:
- Analysing and documenting the proposed changes;
- Assessing and treating the associated risks, particularly information risk;
- Gaining management authorisation for the release, including approval by the relevant Information Owners, where applicable;
- Managing and controlling system/cloud configurations and settings, software versions, users and support documentation etc.
- All changes have to be reviewed form CISO and Information Owner to decide to approve or no
- Risks associated with changes to systems/networks and processes must be assessed as part of the management process. If they are unacceptable to the Information Owners whose information is involved in, or likely to be impacted by, the changes, the risks must be treated, normally through assurance and resilience controls such as:
- Standard ‘template’ installations with secure configuration settings (g. no unnecessary privileged accounts and utilities, standardised security logging and alarms);
- Pre-release (production acceptance) testing;
- Post-release (verification) testing;
- Backups and back-out arrangements, plus business continuity arrangements to minimise adverse business impacts if a change implementation should fail.
The actual requirements depend on the risks arising from a given situation. Occasionally the risks may be so severe that changes may be halted or delayed pending redesign, additional testing or other approaches (risk avoidance).
- Other valuable information is also subject to change from time to time, for example new business relationships and new workers. The corresponding information risks should be managed in the same way.
- In order to comply with our obligations under various laws, regulations and contracts, changes may be imposed upon us, forbidden, or modified. For example, changes that impinge upon personal information must not make us noncompliant with the relevant privacy laws and regulations. Compliance may therefore be another factor to be considered by the Information Owners, taking advice from the relevant professionals.
- We must also conform to information risk and security objectives, policies, directives etc. formally expressed by management, or seek authorised exemptions.
Responsibilities
- Information Security/Compliance is responsible for maintaining this policy and advising generally on information security controls. Working in conjunction with other corporate functions, it is also responsible for running educational activities to raise awareness and understanding of the obligations identified in this policy.
- IT is responsible for following the IT change management process for changes to all corporate IT systems/networks, including the process controls noted in this policy.
- Information Owners are personally accountable for the protection and legitimate exploitation of ‘their’ information. They have a direct interest in ensuring that changes and configurations are properly managed and controlled in order to minimise unacceptable and unnecessary risks.
- Help Desk, in conjunction with specialists from IT, Risk Management, Information Security, Risk Management etc., is responsible for advising IT users and managers on techniques to minimise the risks associated with IT changes.
- Workers are personally accountable for compliance with applicable legal, regulatory and contractual obligations, and conformity with policies at all times.
- Internal Audit is authorised to assess conformity with this and other corporate policies at any time.
Change procedure
For compliance purposes all communications need to be in writing (by email, or within meeting minutes. This documentation will be retained by the <Role> and filed with the change documentation relating to the change management. For this reason, verbal requests and authorisation are not acceptable.
Risk
If not properly controlled, changes could be made that negatively impact the business and prevent people from fulfilling their roles. Changes could be made by individuals who are not fully aware of the impact on other areas of the business. If change is not controlled the business could be exposed to fraudulent activities.
Submitting the change request form
- Complete a Change Request Form(below).
Enter as much detail as possible in the ‘Request details’ section. If this change will affect other departments please enter the names of the department managers in the ‘Other departments affected’ section.
- Once the form has been completed, email it to <mailbox>. They’ll log the form and pass it to the Information Owner and CISO to evaluate it, so that the change can be scheduled.
Review The Specification
- The Information owners will need to approve the specification by email.
The implementation plan
The implementation plan details all the stages that are required in order to successfully manage the change, and includes a Test Plan and Roll Back Strategy. In more complicated changes this may also include a project schedule and timeline:
- Review the implementation plan.
- Make the Change Management Controller aware of any amendments or changes.
- Make a note of the timeline and any training or testing, plus how this will affect department staff.
- Make a note of any dependent tasks. For example, if one department is unable to make a change until another has completed theirs.
- Authorise the implementation plan by email.
Change
To minimise unnecessary disruption and ensure that the plan is followed as closely as possible, any issues are highlighted to the Change Management Controller, as soon as possible. The Change Management Controller will co-ordinate communications between the stakeholders, ensuring all staff follow the implementation plan.
Post-implementation review
Once a change has been implemented it’s important that the situation is reviewed to identify any problems that could be prevented in the future, or improvements that could be made. will carry out a post-implementation review one month after the change has been promoted to live.
The <Role> will review the change documentation and follow up materials quarterly. The minutes and action points of these reviews are held on file with the change documentation. The internal and external auditors will examine the change management documentation on a <agreed time period> and their comments and recommendations will be acted upon.
Anex 1.
Change Request Form
Section 1: Requestor Information
Name:
Department:
Email:
Phone:
Section 2: Change Details
Date of Request:
Change Title:
Description of Change:
– What is being changed?
– Why is the change necessary?
– What are the expected benefits of this change?
Section 3: Impact Assessment
Impact on Information Security:
– How will this change impact the confidentiality, integrity, and availability of information?
Impact on Compliance:
– How will this change affect Information Security Policy inside AADF?
Impact on Operations:
– How will this change impact current operations, systems, and processes?
Section 4: Risk Assessment
Potential Risks:
– Identify any risks associated with the change.
Mitigation Plans:
– What measures will be taken to mitigate these risks?
Section 5: Approval and Implementation
Requested Implementation Date:
Approval Signatures:
– Information Security Manager:
– Department Head:
Implementation Plan:
– Outline the steps required to implement the change.
Testing Plan:
– Describe how the change will be tested to ensure it meets security and operational requirements.
Section 6: Post-Implementation Review
Review Date:
Review Conducted By:
Results:
– Was the change implemented successfully?
– Were there any issues or unexpected outcomes?
– Recommendations for future changes.