The Change Management Procedure controls any additions, deletions, or modifications to the department configuration of desktops, servers, and network hardware and/or software.
Any changes (including patches) could have an impact on the security posture of the department environment, due to rules used to establish the systems, especially on servers (this can be more important on critical systems). Staff members assigned to the Change Management Process must approve any changes. When a change request is received, it should be evaluated using the following criteria:
* Budget dollars
All requests for changes must be evaluated and approved (or disapproved) in order to recognize and control security and access. Use a change request form that can record submissions, investigation, review, and approval. All requests should be recorded on a change request log where their status should be tracked.
The Department Primary System Administrator is responsible for maintaining the log by recording new change requests, updating change requests, and identifying status of change requests.
Change Request Approval/Acceptance Procedure
The life cycle of a change request follows a defined procedure, summarized by the phrase: ID, Estimate, and Approve.
1. A team member identifies a need for a change.
2. The member fills out the change request form, first describing the proposed change and then enumerating the reasons for it.
3. The project manager (and senior management) analyzes the request.
4. If the manager (and senior management) gives preliminary approval, the request is investigated by an assigned party.
5. Management considers the effect of the change, specifically how it will affect the scope of the project and budget.
6. Following the investigation, management convenes and evaluates the change request and the results of the investigation.
7. Management designates the change request as "closed," "deferred," "rejected," or "on hold."
Steps in the change request procedure must be recorded in the change request log by the project administrator. At any point in the process, the change request can be identified in the log and its status noted.