Prince Sultan University PSU
Policy Management System
Change Management Policy

Policy Code: IT0009
Policy Title: Change Management Policy
Owner: Information Technology Center
Responsible Office/Department: Vice President for Academic Affairs
Approved by: University Council
Date Created: 02 February 2017
Recent Review: December 2023
Effective date:

POLICY STATEMENT

The Change Management Policy aims to manage IT system and infrastructure changes in a controlled manner, ensuring minimal service disruption and maintaining service quality. Applicable to all IT changes, including software, hardware, and network modifications, this policy mandates the use of standardized procedures for change handling, risk assessment, and impact analysis. It emphasizes clear roles and responsibilities, particularly the involvement of a Change Advisory Board for significant changes. The policy requires thorough documentation and effective communication of changes, alongside mandatory approval processes. Regular review and improvement of the change management process are also integral, and compliance is expected from all employees and contractors, with non-compliance subject to disciplinary action.

All changes to any Information system, resource, or asset must be approved first by the Change Management Committee; all changes must be documented and well communicated to all relevant stakeholders.

BACKGROUND AND JUSTIFICATION

In the dynamic landscape of Information Technology, changes to the IT infrastructure, applications, and systems are inevitable. These changes can range from software updates, hardware replacements, configuration modifications, to entirely new implementations.

Changes, while essential for advancement, can introduce risks, such as system outages or security vulnerabilities. The IT Change Management Policy ensures that all changes are systematically managed, minimizing potential disruptions and maintaining system stability and security. This policy reinforces our dedication to optimal IT governance and operational excellence.

SCOPE AND PURPOSE

This policy applies to all Authorized Users that install, maintain, or operate Organization information technology resources, including, but not limited to: computer Hardware, Software, and Networking devices. This policy describes a systematic process to document and manage changes to the Organization Information Technology Network in order to permit effective planning by the Organization Information Technology Services to serve the Organization user-base.

PRINCIPLES OF THE POLICY

  • Standardization: All changes to IT systems and infrastructure must follow a standardized process to ensure consistency, traceability, and reliability.
  • Risk Management: Every proposed change should undergo a risk assessment to identify potential impacts and develop mitigation strategies.
  • Stakeholder Involvement: Relevant stakeholders, including IT professionals, end-users, and business units, should be consulted and involved in the change process to ensure alignment with business needs.
  • Documentation: All changes, from initiation to implementation and post- review, must be comprehensively documented, providing a clear record and facilitating future audits.
  • Communication: Effective and timely communication is essential. All affected parties should be informed about planned changes, potential impacts, and any required actions on their part.
  • Rollback Strategy: A clear rollback plan should be in place before implementing any change, ensuring quick recovery in case of unforeseen issues.
  • Continuous Improvement: The change management process should be periodically reviewed and refined based on feedback, lessons learned, and evolving best practices.
  • Accountability: Clear roles and responsibilities must be defined within the change process. Individuals or teams responsible for proposing, approving, and implementing changes should be held accountable for their actions.
  • Training and Awareness: Staff involved in change management should receive regular training, ensuring they remain updated on best practices, tools, and the nuances of the organization's IT landscape.
  • Emergency Procedures: While standard procedures are crucial, there should also be guidelines in place for handling emergency changes, ensuring they are managed quickly without compromising system integrity.

DEFINITIONS

  • Change: Any modification, addition, or removal of approved, supported, or baseline hardware, network, software, application, environment, system, desktop build, or associated documentation.
  • Change Management: The systematic approach to proposing, evaluating, implementing, and reviewing changes in the IT environment.
  • Change Request (CR): Formal proposal for a change to be considered.
  • Change Advisory Board (CAB): A group of stakeholders responsible for evaluating and approving or rejecting CRs based on potential impacts and benefits.
  • Stakeholder: Any individual or group that can affect or be affected by a change, including IT teams, end-users, business units, and vendors.
  • Rollback: The process of reverting systems or components back to their previous state if a change fails or introduces unanticipated problems.
  • Baseline: A set standard or reference point in the system or application, typically a stable and known configuration.
  • Impact Assessment: Evaluation of the potential effects of a proposed change on different aspects of the IT environment and the business.
  • Emergency Change: A change that must be implemented as soon as possible, often bypassing usual procedures due to its urgent nature.
  • Release: The distribution of a change to the live environment, after thorough testing and approval.
  • Configuration Item (CI): Any component or system within the IT environment that is under change and configuration management.

RESPONSIBILITIES AND IMPLEMENTATION STRATEGIES

  • Change Requestor Responsibilities: Ensure that a comprehensive change request form is available, which includes sections for justification, impact analysis, risk assessment, and rollback plans. Training sessions should be conducted for those who may request changes to understand the process and requirements.
  • Change Advisory Board (CAB) Responsibilities: Establish a multidisciplinary CAB with representatives from IT, business units, and other relevant stakeholders. Regular meetings should be scheduled to review, prioritize, and approve or reject change requests. The decision- making process should be transparent and well-documented.
  • IT Teams' Responsibilities: Equip IT teams with appropriate tools and platforms for tracking, testing, and implementing changes. Provide continuous training on the latest best practices and ensure clear communication channels are in place for all stages of the change process.
  • Stakeholder Communication Responsibilities: Develop a communication plan that identifies the who, when, and how of communicating changes. Utilize various channels like email, internal portals, and team meetings to disseminate information. Feedback mechanisms should be established for post-change reviews.
  • Testing and Quality Assurance Responsibilities: Designate specific environments (like staging or QA) for testing changes. Implement automated testing tools where possible, and establish standard testing protocols to ensure changes meet required standards before release.
  • Rollback and Recovery Responsibilities: Always have a detailed rollback plan in place before implementing any change. Regularly test rollback procedures to ensure they are effective and can be executed swiftly if needed.
  • Documentation and Record-Keeping Responsibilities: Use centralized documentation platforms or change management tools to store all relevant
  • details, decisions, and outcomes related to changes. Regular audits should be conducted to ensure documentation is up-to-date and comprehensive.
  • Training and Awareness Responsibilities: Implement regular training sessions for all involved parties. Create easily accessible resources, such as user manuals, how-to guides, and FAQs, to aid in understanding and adapting to changes.
  • Emergency Change Responsibilities: Designate a rapid-response team to handle emergency changes. Develop streamlined processes for these changes, ensuring they're managed efficiently without compromising on necessary assessments and approvals.
  • Continuous Improvement Responsibilities: After each significant change, conduct post-implementation reviews to assess outcomes, gather feedback, and identify areas for improvement. Adjust strategies and processes accordingly for future changes.

PROCEDURES FOR HANDLING POLICY VIOLATION

Any violation of this policy will make the subject susceptible disciplinary actions with the Enforcement section of the ITC Unauthorized Use Policy.
https://www.psu.edu.sa/en/IT0002-unauthorized-use-policy

REFERENCES:

https://www.psu.edu.sa/en/cop005-disciplinary-policy