Skip to Main Content Skip to Footer Toggle Navigation Menu

Change Management Policy

Purpose

The purpose of this policy is to ensure that all changes to College IT Resources are tracked, to support continuity of IT services, and reduce negative impact on services and Users.

Scope

This policy applies to all Macalester College employees (faculty, staff, student workers), organizations, contractors and volunteers.

Policy

  • Standard and normal changes to College IT resources must be documented per the change control procedure.
  • Changes to College IT resources must follow the change control procedure to ensure appropriate approval, planning and execution.
  • Change requests may not be required for non-production (e.g. dev, test, QA) environments unless there is a significant upgrade or impact.
  • Production change requests must note that the change has been successfully applied, tested, and verified in a non-production environment when a suitable environment exists.
  • Changes to production environments undergo impact examination before submitting the change request per the change control procedure. This information will be used to determine the impact of the change by considering:
    • The impact the proposed change will have on business operations, if it is expected to cause a widespread outage, a loss of connectivity or functionality to a specific group or groups;
    • The risk involved in not making the change;
    • The risk if the change does not go as planned; and
    • Predictability of the success of the change.
  • Changes must be vetted for security implications through the participation of the Information Security Manager.
  • Significant user experience changes must be conveyed to ITS leadership and communicated to the affected audience and ITS Help Desk.
  • An after action review will occur in the event of an incident during a change request, or whenever an undocumented change leads to an incident. Notes of the session will be documented and shared with ITS leadership.

Emergencies

In emergency cases, actions may be taken outside of change control procedure if approved by leadership. All changes should be documented and reviewed upon the conclusion of emergency.

Definitions

Change Control is a systematic approach to managing all changes made to College IT resources. The purpose is to ensure that no unnecessary changes are made, that all changes are documented, that services are not unnecessarily disrupted, and that resources are used efficiently.

Standard Change is pre approved and is low-impact, well-known, and documented. Standard changes require a risk assessment and authorization when implemented for the first time, but subsequent implementations can be done without these precautions as long as the change has not been modified.

Normal Change needs to follow the entire change procedure; it should be scheduled, have its risk assessed, and be authorized. Normal changes include both minor (low to medium impact and urgency) and major changes (high impact and urgency). All changes that are not standard or emergency should be treated as normal changes and adhere to the change control procedure.

Emergency Change has a high impact and urgency, requiring expedited assessment, approval, and implementation to get services up and running as soon as possible. Modifications to components that affect business operations, and therefore cause downtime, are treated as emergency changes.

IT Resources include computing, networking, communications, application, and telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, and cloud-based vendors. Software as a service (SaaS) vendors, and related materials and services.

Enforcement

Any user found to have violated this policy will be subject to revocation of certain privileges or services, including but not limited to loss of user account access. Consultation with your supervisor will be made prior to enforcement action.