IT Change Management Policy
TEC 14.0
Office of Information Technology
Applies to: Information Technology Staff Members
University of Mount Union Page 2 of 4
• Post-change review: Review the change with an eye to future improvements.
This policy applies to all changes to architectures, tools and IT services provided by the Office of Information Technology.
Modifications made to non-production systems (such as testing environments with no impact on production IT Services)
are outside the scope of this policy.
Staff maintaining systems and network systems are required to document changes. The Office of Information Technology
staff will record changes for the following categories of the IT Environment:
• Firewall
• Telephony/Teams environments (including audio codes)
• Network equipment (including Wireless Access Points (WAP))
• Servers, including new installation and patches
• Administrative and Academic Systems
• Mobile Apps
• Liquidation/Destruction of Hard Drives
• PCI Network
• Cash Registers
• NOC Access
• Internal Risk Assessment
• Penetration Network Tests
• Network monitoring/BitLyft
This list is not all inclusive but list the main categories that should be covered with regard to change management.
All changes to IT services must follow a structured process to ensure appropriate planning and execution.
Types of Changes:
There are three types of changes: (a) a standard change, (b) a normal change (of low, medium, or high risk), and (c) an
Emergency Change.
Standard – A repeatable change that has been pre-authorized by the Change Authority by means of a documented
procedure that controls risk and has predictable outcomes.
Normal – a change that is not an emergency change or a standard change. Normal changes follow the defined steps of
the change management process. Low, Medium, or High priority is determined by the Change Authority, IT or delegates
according to the Risk Assessment Instrument included below.
a. Normal Low Changes must be reviewed and approved by the change authority.
b. Normal Medium Changes must be reviewed and approved by the Change Authority and unit director or system
owner.
c. Normal High Changes must be approved by the IT Executive Team as Change Authority.
Emergency Change – A change that must be introduced as soon as possible due to likely negative service impacts.
There may be fewer people involved in the change management process review, and the change assessment may
involve fewer steps due to the urgent nature of the issue; however, any Emergency Change must still be authorized by a
IT Executive.
Risk Assessment Instrument: Risk and Change Type Matrix for Normal and Emergency Changes.
• Determine the impact of the change to the service.
• Then assess the urgency of the proposed change (low can generally wait, Medium, cannot, and high needs to be
done ASAP)
• The matrix shows whether the type of change is then a Normal Low, Normal Medium, Normal High, or an
Emergency Change (Note: A Standard change does not need to use this matrix because risk is controlled by a
pre-approved standardized process)