Information Services Divisional Change Management Policy

Information Services

Divisional Change Management Policy

In effect: January 1, 2018

Scope of Change Management

Change Management refers to a formal process for making changes to IT systems. The goal of

change management is to increase awareness and understanding of proposed changes across

an organization and ensure that all changes are made in a thoughtful way that minimize

negative impact to services and customers.

Change management generally includes the following steps:

● Planning: Plan the change, including the implementation design, schedule,

communication plan, test plan, and roll back plan.

● Evaluation: Evaluate the change, including determining the risk based in priority level of

service and the nature of the proposed change, determining the change type and the

change process to use.

● Review: Review change plan with peers and/or Change Advisory Board as appropriate

to the change type.

● Approval: Obtain approval of change by management or other appropriate change

authority as determined by change type.

● Communication: Communicate about changes with the appropriate parties (targeted or

campus-wide).

● Implementation: Implement the change.

● Documentation: Document the change and any review and approval information.

● Post-change review: Review the change with an eye to future improvements.

Scope

This divisional policy applies to all changes to architectures, tools and IT Services provided by

OSU Information Services. Modifications made to non-production systems (such as testing

environments with no impact on production IT Services) are outside the scope of this policy.

Policy

All Changes to IT services must follow a structured process to ensure appropriate planning and

execution.

By ITIL definition there are three types of changes: (a) a Standard Change, (b) a Normal

Change (of low, medium, or high risk), and (c) an Emergency Change. See “Appendix A –

Types of Changes and Definitions” for more detailed definitions. Each Change Authority must

establish an appropriate complete change management process commensurate with the type of

change being authorized (see “Appendix B – Risk Assessment” and definitions of types of

changes.)

Minimum Standards

1. All Changes must follow a process of planning, evaluation, review, approval, and

documentation. See “Appendix D – Process Examples” for default approaches.

2. Unit Directors serve as default Change Authorities (CA) for changes within their units

and have the authority to determine change type and risk level. If in doubt, a higher level

of risk should be assumed and additional review and approval should be sought.

3. All Standard Changes must have documented procedures in place that have been

approved by the Unit Director or delegate.

4. All Normal Low Changes must be approved by the Unit Director or delegate.

5. All Normal Medium Changes must be approved by the Change Advisory Board (CAB).

6. All Normal High Changes must be approved by the IS Executive Team.

7. All Emergency Changes must be authorized by a manager and submitted for review by

the CAB in retrospect to ensure that effective oversight was maintained and proper

communication occurred. NOTE: If services are down, the issue should be handled as

an Incident according to the Incident Response Policy.

8. Documentation of Normal Medium, Normal High, and Emergency Changes must be

made in a Process log that is stored in a common location so that coordination of

changes across the organization can be managed appropriately. Low risk Normal and

Standard Changes must be logged in a manner that can be audited for process

improvement and root cause diagnosis as part of Problem Management.

9. All changes are elevated one Change Type priority level during Critical Operations

Windows (see definitions).

Appendix A – Types of Changes and Definitions

Types of Changes

There are three types of changes:

1. Standard Change – A repeatable change that has been pre-authorized by the Change

Authority by means of a documented procedure that controls risk and has predictable

outcomes.

2. Normal Change – A change that is not an Emergency change or a Standard change.

Normal changes follow the defined steps of the change management process. Low,

Medium, or High priority is determined by Unit Directors or delegates according to the

Risk Assessment Instrument included as Appendix B.

a. Normal Low Changes must be reviewed and approved by the Unit Director or

delegate as Change Authority.

b. Normal Medium Changes must be reviewed and approved by the Change

Advisory Board as Change Authority.

c. Normal High changes must be approved by the IT Executive Team as Change

Authority.

3. Emergency Change – A change that must be introduced as soon as possible due to

likely negative service impacts. There may be fewer people involved in the change

management process review, and the change assessment may involve fewer steps due

to the urgent nature of the issue; however, any Emergency Change must still be

authorized by a manager and reviewed by the Change Advisory Board retroactively.

Definitions

Definitions adapted from Information Technology Infrastructure Library (ITIL). See

http://en.wikipedia.org/wiki/Information_Technology_Infrastructure_Library.

Change - The addition, modification or removal of approved, supported or baselined hardware,

network, software, application, environment, system, or associated documentation.

Change Advisory Board - A group of people that support the assessment, prioritization,

authorization, and scheduling of changes.

Change Authority -The person or group authorizing a change. This role is designated for a

non-classified position.

Change Control - The procedure to ensure that all changes are controlled, including the

submission, analysis, decision making, approval, implementation and post implementation of

the change.

Change History - Auditable information that records, for example, what was done, when it was

done, by whom and why.

Change Log - Auditable log of who, what, why, and when for all changes. This may be system

specific as certain systems have the ability to automatically log changes in this manner.

Change Management - Process of controlling changes to the infrastructure or any aspect of

services, in a controlled manner, enabling approved changes with minimum disruption.

Core Service - A service that users directly consume and the organization receives value from.

Critical Operations Windows – Finals week starting on the Monday of that week for each

quarter, first two days of classes for each quarter, graduation weekend starting on the Friday of

that weekend, and fiscal year end close.

Enabling Service – A service that must be in place for a core service to be delivered.

Enhancing Service – A service that adds extra value to a service but is not absolutely required.

Impact - Determined by potential disruption to users, departments, colleges and the

organization as a whole. User means approximately 10 or less individuals.

Peer - Another IT professional that can review a change and understand the technical elements

involved.

Process Log - A central repository of Changes that documents the process followed for a

particular change. The purpose of the process log is to ensure that high impact changes have

been carefully considered and to serve as a basis for process improvement when changes do

not go as planned.

Request for Change (RFC) – A formal proposal for a change to be made. It includes details for

the proposed change.

Service – A means of delivering value to customers by facilitating outcomes customers want to

achieve without the ownership of specific costs and risks. Do we add value or assume risk?

Then it is a service we provide.

Urgency – How quickly a change must be implemented to maintain stated service level

agreement (SLA). Low can wait until the next scheduled CAB meeting, Medium cannot, and

High needs to be done ASAP.

Appendix B - Risk Assessment

Risk and Change Type Matrix for Normal and Emergency Changes

How to use this matrix:

First, determine the impact of the change to the service. Then assess the Urgency of the

proposed change (Low changes can wait until the next scheduled CAB meeting, Medium

cannot, and High needs to be done ASAP). The matrix shows whether the type of change is

then a Normal Low, Normal Medium, Normal High, or an Emergency change (Note: A Standard

change does not need to use this matrix because risk is controlled by a pre-approved

standardized process)

For example: A High Urgency change to a service that would impact the organization would be

considered an Emergency Change. A Medium Urgency change to a service that would impact a

department would be a Normal Medium change. A Low Urgency change to a service that would

impact Users would be a Normal Low change.

Low Urgency

Med Urgency

High Urgency

Impact - Organization

Change affects more than 1,000

individuals.

Normal Medium

Normal High

Emergency

Impact – College

Change affects approximately 1,000

or less individuals.

Normal Medium

Normal High

Impact - Department

Change affects approximately 100 or

less individuals.

Normal Medium

Normal High

Impact – User

Change affects approximately 10 or

less individuals.

Normal Low

Normal

Medium

Appendix C - Change Management Roles

Change Advisory Board (CAB)

The members of the Change Advisory Board provide a due diligence readiness assessment and

advice about timing for any Request for Change (RFC) that are referred to it for review. This

assessment should ensure that all changes to the IT environment are carefully considered to

minimize the impact on campus users and existing services.

CAB members are responsible for:

● thoroughly reviewing all change requests

● raising any potential concerns about the impact or timing of those requests

● ensuring the changes requested

○ have undergone proper planning and testing

○ are planned to ensure the lowest possible risk to services

○ are coordinated so changes do not impact each other

○ are coordinated with the campus calendar to avoid times of high impact for

affected services

● providing advice regarding any additional measures that should be considered prior to

the change

● report annually to the associate Vice Provost on change management metrics,

identifying patterns and making recommendations as needed

Any decision to move forward with a RFC should include an advisory review by the CAB in

advance for Normal Medium Changes and after the fact for Emergency changes.

Manager

Change Management responsibilities for first level managers include the following tasks:

● Review and approve timing and feasibility of RFCs

● Review and approve RFCs when authorized by CA

● Engage IT Communications manager to initiate communication with users

● Ensure that Requestor fills out the RFC accurately and completely

● Ensure staff availability to successfully complete the RFC

Change Authority

Change Management responsibilities for the Change Authority include the following tasks:

● Provide advisory input to the Requestor on any needed changes to the RFC prior to

approval, including any follow up communication necessary for clarification during the

change process

● Review and approve RFCs when needed

● Review change outcomes and make process changes appropriate to increase service

availability and service quality

Requestor

Change Management responsibilities for the Requestor include the following tasks:

● Ensure that additional resources are available in case of problems

● Prepare the request for change (RFC) and submit to the appropriate Change Authority

● Incorporate feedback from the Change Authority into the RFC

● Document the outcome of the change

Appendix D - Process Examples

Standard Change

Normal Change

Plan: Collect information to make the change;

follow documented procedure

Plan: Collect information to make the change;

perform testing; review documentation

Evaluate: Access documented procedure to

ensure compatibility with the change

Evaluate: Determine the risk, priority, and

Normal change type

Peer review: Conduct internal review as

needed in documented procedure

Peer review: Conduct internal or external

review depending on service priority

CAB review: Not required

CAB review: Submit to the CAB for

assessment and advice

Approval: Pre-approved by Change Authority

Approval: Obtain authorization from the

Change Authority

Communicate: Send targeted e-mail to

affected customers only as needed in

documented procedure

Communicate:

• Priority 1: Send notification to Outages

and other venues as needed (e.g.

Inform lists)

• Priority 2: Send targeted e-mail to

affected customers only as needed

Implement: Make the change

Document: Change Log

Document: Change Log and Process Log

(except for Normal Low)

Change Plan Documentation

All Normal and Emergency changes, evaluations and approvals will be documented to allow

customers to understand what was changed, the reason it was done and the process that was

used to make a change. The following details the kind of information that will be logged for each

change and where it will be logged.

Change Log

• All Standard, Normal, and Emergency changes are logged in the Change Log

• The Change Log contains:

o Who made the change

o What was changed

o Why the change was made (Reason/Comment)

o And When the change was made

Process Log

• Normal Medium, Normal High, and Emergency changes are logged in the Process Log

• The Process Log contains

o Test Plan and testing results

o Risk assessment documentation

o Communication Plan

o Deployment Plan, including back-out contingencies