System Change Management Policy - 2023
System Change Management Policy - 2023
System Change Management Policy - 2023
4.0 DEFINITIONS
N/A
5.0 RESPONSIBILITIES
MISSION CRITICAL SYSTEMS CHANGES
Changes that will be documented through the HSSU change process but do not normally
require prior approval or formal change planning include (but are not limited to) the
following:
When an emergency change is needed, IT Services staff and managers will generally follow
the protocol outlined in the document entitled ‘Procedures for System Emergencies for IT
Staff and Managers.’ Emergency changes always require the submission of a Help Desk
change ticket, regardless of their severity level. Emergency changes may be temporary or
permanent. Permanent emergency changes to mission-critical must be followed up by
creating supporting documentation through the institution’s Change Management Planner.
Examples of emergency changes include (but are not limited to the following):
• Disabling a single user’s access to ERP/SIS systems due to a security incident (requires a
help-desk change ticket marked as a change in user access).
• Modifying all user access to ERP/SIS systems to contain a security incident (requires a
help-desk change ticket and documentation through the Change Management Planner).
It is important to note that in both examples, the change precipitates an incident management
protocol, which requires further investigation and research by the institution’s Security Incident
Response team.
Emergency changes to mission-critical systems are rare but may be required when circumstances
dictate. Circumstances may include but are not limited to the following:
• Units are unable to complete urgent business functions (business continuity is interrupted).
• A security risk has been detected is unable to be contained.
• Institutional data assets are corrupted or at risk of becoming corrupt.
• Environmental changes create unacceptable conditions for system operations.
The following are examples of Critical changes that are not to be treated as emergency changes
and should be referred to an IT administrator for change planning: