Information Technology Change Management Standard

Title

 

University of North Carolina at Chapel Hill Standard on Information Technology Change Management

 

Introduction

Purpose

The goal of Information Technology (IT) change management is to increase awareness and understanding of proposed IT changes across the University and ensure that all such changes are made in a thoughtful way that minimizes negative impact to IT systems, services, users and other customers.

The purpose of this Standard is to:

  1. Describe all required elements for a change which must be in place prior to implementation in order to minimize negative impact on other IT systems and services,
  2. Support notification of all appropriate parties in advance of any change, and
  3. Set minimum requirements for managing Information Technology (IT) changes which must be met by University units to comply with the requirements of our IT Security program.

Scope of Applicability

University business units and constituent individuals responsible for material changes to production IT systems, applications, and services.

Standard

Required

University units responsible for IT systems and services shall establish an orderly method by which to implement material changes to an IT environment. Such changes shall be requested, tested and approved prior to implementation in accordance with this Standard.

University business units responsible for changes to IT systems and applications should implement change processes according to the size, scope, and risk profile of their IT environment. Units must create and document processes or procedures which at a minimum:

  • Classify types of IT changes into categories. At a minimum these must distinguish operational change, normal change, and emergency changes. Additional categories may be used. Documentation should include examples for each category.
  • Ensure changes are submitted and implemented by authorized users/requestors;
  • Ensure changes are assessed based on risk, and approved by authorized approvers with appropriate separation of duties
  • Address communication of material changes to all relevant individuals;

Recommended

The following should be implemented as appropriate and feasible. Units should consider the following for both applications and systems when developing IT change management processes and procedures:

  • Documenting the change request:
    Change requests should be categorized and recorded, along with informal assessments of the importance of that change and the difficulty of implementing it.
  • Formal assessment:
    The justification for the change and risks and benefits of making/not making the change are evaluated. Document a system for accepting or rejecting change requests, with communications of decisions back to requestor.
  • Planning:
    Those responsible for changes should document methodology for test plans or maintain records of detailed test/project plans for change design and implementation, as well as plans for rolling back changes and rollback triggers should changes be deemed unsuccessful.
  • Designing and testing:
    Design the program for system/software change and tests. If the change tests are successful and approved they may be scheduled for implementation in a production environment.
  • Implementation and review:
    Responsible staff implement the change and appropriate parties review the change as appropriate.
  • Final assessment:
    The change request is closed when the implementation is completed satisfactorily and outcomes are achieved.
  • Change documentation:
    All planned changes requiring change management approvals and made to systems (e.g. servers, databases, applications, batch jobs, and infrastructure) should be documented.

Exceptions

Due to the rapid implementation and transient nature of some research systems, self-maintained (not maintained by a formal IT group), single-server research systems used only within the area of responsibility of a single Principle Investigator (PI) may be excepted from the requirements of this Standard at the discretion of the University unit responsible for each system. This exception must be approved and documented by the IT or other staff member overseeing IT change management for the unit.

Test and development systems are excepted from this Standard if they are separate from production systems such that changes to the test system would have a low risk of production impact

Other exceptions to this Standard may be issued in writing by the Chief Information Officer (CIO), the Assistant Vice Chancellor for Customer Experience and Engagement, or another CIO designee.

Definitions

  • Change: The addition, modification, or removal of anything that could affect IT services.
  • University Constituent: UNC-Chapel Hill faculty, staff, students, retirees, and other affiliates, contractors, distance learners, visiting scholars, and others who use or access UNC-Chapel Hill resources.

Related Requirements

External Regulations and Consequences

Failure to comply with this standard may put University information assets at risk and may have disciplinary consequences for employees, up to and including termination of employment. Students who fail to adhere to this standard may be referred to the UNC-Chapel Hill Office of Student Conduct. Contractors, vendors, and others who fail to adhere to this standard may face termination of their business relationships with UNC-Chapel Hill.

Violation of this standard may also carry the risk of civil or criminal penalties.

University Policies, Standards, and Procedures

Contact Information

Primary Contact

Unit: ITS Policy Office

Phone: 919-962-HELP

Email: its_policy@unc.edu

100% helpful - 1 review

Details

Article ID: 131250
Created
Thu 4/8/21 9:04 PM
Modified
Mon 7/12/21 11:04 AM
Effective Date
If the date on which this document became/becomes enforceable differs from the Origination or Last Revision, this attribute reflects the date on which it is/was enforcable.
08/19/2020 10:48 AM
Issuing Officer
Name of the document Issuing Officer. This is the individual whose organizational authority covers the policy scope and who is primarily responsible for the policy.
Issuing Officer Title
Title of the person who is primarily responsible for issuing this policy.
Assistant Vice Chancellor, Customer Experience & Engagement
Last Review
Date on which the most recent document review was completed.
08/19/2020 10:48 AM
Last Revised
Date on which the most recent changes to this document were approved.
08/19/2020 10:48 AM
Origination
Date on which the original version of this document was first made official.
04/24/2018 12:00 AM
Responsible Unit
School, Department, or other organizational unit issuing this document.
Information Technology Services