This policy covers the process of testing and applying all additions, deletions and modifications to the Production environment. This Production environment includes:
- Server hardware and software used for conducting [organisation] business activities
- Systems used for the monitoring and control of these activities;
- Network and communications hardware and software;
- Data storage systems and changes to data using greater privileges than those granted to normal business users;
- Systems used to backup and recover the above environments; and
- Disaster recovery facilities.
This framework does not apply to changes to development, test or training systems, providing they are isolated from the Production environment.
This policy covers planned (ie scheduled) changes and unplanned (ie emergency) changes.
This framework applies to all employees, board members, contractors, consultants and visitors who are given access to [organisation] Production systems.
All changes to Production must have an accompanying Change Request that is approved in advance. In addition, all changes must be tested before being applied to Production.
The only exception to the above is for unplanned changes. In the situation where a problem occurs that is severely impacting [organisation] business operations, an Emergency Change Request must be raised.
For planned changes to Production:
- A Change Request is completed by the person requesting the change. This request details the nature of the change, when the change is to be applied, the Production systems and people to be impacted, and any associated back-out plan.
- Change Requests scheduled for the following week are reviewed and approved by the [sponsor role]. A Change Request must be approved at least one week before the change is to be applied in Production.
- The change is tested in an environment other than Production (unless exempted if this is not possible). Any problems identified in this testing are to be raised with the [sponsor role] for consideration. The Change Request can be amended or cancelled as a result.
- If testing was successful, the change is then performed in Production at the scheduled time.
- The Change Request is updated to include details of when the change was applied and any residual issues.
- Change Requests are retained for future reference.
For unplanned (ie an emergency change required to fix a problem with a critical [organisation] business function) to Production:
- Verbal approval is obtained as soon as possible from the [sponsor role] to make the change. In situations where the General Manager of Corporate Services is unavailable or un-contactable, approval must be sought as soon as possible after the change is applied.
- The change is applied in Production.
- An Emergency Change Request is completed within one business day of the change being applied, and signed off by the General Manager of Corporate Services within two weeks of the change being applied.
- Emergency Change Requests are retained for future reference.
Compliance and breaches[organisation] may commence applicable disciplinary procedures if a person to whom this Policy applies breaches this Policy (or any of its related procedures). This disciplinary action may include dismissal.
Legislative and other references
- <Information Security Policy>
- <Computer, Email and Internet Policy>
- <Information Management Policy>
- <IT User Access Policy>
- <IT Computer Surveillance Policy>