Change Control

1. Introduction

The dependence on Information Resources to support the constantly changing business environment and the investment in computer equipment and software necessitates that computer-based operations be properly protected and controlled. The objective of Change Control is to insure that adequate facilities are provided to securely contain and control computer hardware, software, data, and personnel; and to provide a stable production environment. This encompasses the protection against unauthorized access or modification to equipment, software, and data and the provision for controls which enhance the continuity of business operations.

Any changes to the network infrastructure hardware, system software, operating systems, and security policies governed by Information Resources will be controlled and managed by the Change Control process.

The goal of change control is to facilitate changes and at the same time minimize risk, through testing, involving appropriate client and technical expertise, communicating scheduled changes to all affected by the changes as well as those identified in this document as being part of the change control process. All changes should be reversible. A back-out plan is also required. Appropriate Information Services personnel should be able to "back-out" changes by following a back-out plan created during the change control process. If "back-out" is not possible, that needs to be made known prior to the approval of the change.

2. Change Control Process

Steps leading up to and involving the change control process include the following:

1. Customer request for a change or any other change identified by Information Services personnel ( new version of software, bug fix) triggers the need for the change control process to begin.
   
   Examples of events which trigger change control include but are not limited to the following:
   
   
   • Installation or upgrade of file servers.
   • Network Hardware/software upgrades and configuration changes
   • Installation of Security Service Packs/Hot Fixes/patches
   • Implementation of a new security policy on the firewall.
   
   
2. Steps required to make the change are identified.
    
3. Initial risk and impact on customers is determined and documented.
    
4. Test plan and back-out plan is created.
    
5. Date of implementation is estimated based on who is affected and how long it will take to complete the change.
    
6. Change Control Request document is created with supporting documents attached and sent to the appropriate people. For Networking and Telecommunications requests, the document will be sent to the Director of Networking and Telecommunications as well as the Assistant Director of Network Development. The Director will then determine the priority and forward the document to 1) the LanAdministrators email group 2) the Director of Information Technology Services for the Hospital and 3) the Assistant Director of Internet Technology Group for the Hospital. If deemed appropriate, based on impact, the Director will also send the document to the Information Resources Planning group. In the absence of the Director of Networking and Telecommunications, the Assistant Director of Network Development will forward the requests.
    
7. Changes which have a Medium and High level of impact/risk (defined later in this document) will be reviewed by the Information Resources Planning group. An email notification of the change request will be emailed to the members of the group. Each member will have 2 business days to respond to the request. If a member does not respond to request it is automatically assumed that the request is approved by that member. If it is determined that more discussion needs to be made it will occur at the weekly IR Planning meeting held on Thursday afternoon. Medium and High impact changes are also discussed at a weekly Hospital managers meeting. Unless other information is needed, the request will be approved/denied. If the change required is determined to be time-critical and cannot wait until approval by each member of the Planning group, approval can be made by the Director of Telecommunications and Networking and/or the CIO.
    
8. Upon approval of the change request and after proper testing and notification, implementation of the change may occur on the agreed date.

3. Approval and Schedule

Low Impact

Low impact changes include installation of new systems or reconfiguration of existing systems, where the procedure can be reversed easily and quickly and does not affect more than a few users. Example: Installation of new access switch to expand equipment closet capacity.

University Approval: Approved by the Assistant Director of Network Development and/or the Director of Telecommunications and Networking. Changes can be made as soon as the change control request is approved.

Hospital Approval: Approved by the Director of Information Technology Services and/or the Assistant Director of Internet Technology Group. Changes can be made as soon as the change control request is approved.

Medium Impact

Medium impact changes include installation of new systems or reconfiguration of existing systems which affects a group or several groups of people and can be completed with minimum downtime. Example: software upgrade on a particular switch in an equipment closet which requires a restart of the switch.

University Approval: Approval obtained by the Assistant Director of Network Development and/or the Director of Telecommunications and Networking. If higher approval is needed, it will up to the Assistant Directory or Director of Telecommunications to get the approval from the CIO. Changes can be made on the agreed upon date after proper notification and testing.

Hospital Approval: Approved by the Director of Information Technology Services and/or the Assistant Director of Internet Technology Group. All other Assistant Directors In Information Services and the Directors of the areas that will be impacted must be notified. If higher approval is needed, it will be up to the Director of Information Technology Services to obtain that approval from the Corporate Director of Information Services. Changes can be made on the agreed upon date after proper notification and testing.

High Impact

High impact changes include installation of new systems or reconfiguration of existing systems which affects large groups of people or the entire Medical Center. A large group is defined to be an average size department of 25 people or more. The changes may also require significant down time. Example: installation of new interface card in the core router or blocking a port on the firewall.

University Approval: Approval is obtained by the Assistant Director of Network Development and/or the Director of Telecommunications and Networking. The approval obtained will come from the Director of Telecommunications and/or the CIO. Changes that affect the Hospital and the University will need to be made during the monthly scheduled downtime.

Hospital Approval: Approved by the Director of Information Technology Services and/or the Assistant Director of Internet Technology Group. All other Assistant Directors In Information Services and the Directors of the areas that will be impacted must be notified. If higher approval is needed, it will up to the Director of Information Technology Services to obtain that approval from the Corporate Director of Information Services. Changes that affect the Hospital and the University will need to be made during the monthly scheduled downtime.

Emergency Changes

There are situations where in order to support the continuity of the business operations an emergency production change will be required.

Examples of situations that would merit the scheduling of an "Emergency" change would include:

• Production problems.
• Any change, which if not implemented, would have a potential impact on patient services.
• A change, which if not implemented, greatly impedes resource productivity or causes unacceptable additional costs.

All emergency changes require the notification of the CIO and Director of Telecommunications and Networking for the University and the Director of Information Technology Services and/or the Assistant Director of Internet Technology Group for the Hospital.

4. Notification Requirements

Upon approval, notification of changes is required as part of the change control process. The individuals notified will depend on several things including: entities affected by the change (Hospital/University), the level of risk involved, impact on the customer and the amount of downtime needed to make the change. Outside of emergency changes, the timing of notifications should be reasonable to allow for a response and any alternate plans that need to be made by those affected by the changes.

University Notification

Default Notification

A default set of people will be notified for every change control item processed. This is to ensure that the University and Hospital is notified of a change even when only one entity is thought to be affected. On the University side, the Assistant Director o f Network Development, Director of Telecommunications and Networking and the University Security Administrator (This list will be fine-tuned as time goes on) will received the notifications of each change. Hospital personnel to be notified for each change include Director of Information Technology Services, the Assistant Director of Internet Technology Group, and Hospital Security Officer.

Help Desk/LanAdministrators

In all situations where customers are affected by changes, the Customer Support help desk and Network Development divisions of Information Resources as well as the LanAdministrators will be notified with full details of the changes and how they need to respond to calls coming in concerning the change. Due to the fact that computer room operators take over calls from the help desk after hours, we will also notify the Assistant Director of Operations Support Services for the distribution to both the Hospitals Technical Resource Center and the Computer Room.

Customers

If a change being made affects 1 or 2 individuals, the person submitting the change request will notify those specifically involved. In the case where specific departments are affected, notification will be made to key individuals in those areas at which time it will be up to the key people to notify other personnel in the affected areas. If the entire University is affected by a change, a broadcast message to the appropriate distribution list can be made.

Notifications for changes being made by University personnel that affect Hospital employees will be left to the Hospital management team who are a part of this change control process.

IR Management

For medium and high impact changes or when otherwise determined necessary, the CIO and Director of Telecommunications and Networking must be notified.

Hospital Notification

The Director of Information Technology Services, the Assistant Director of Internet Technology Group, and the Corporate Director of Information Services will be notified for all High and Medium impact changes. The Director of Information Technology Services or assigned designee will inform all Assistant Directors In Information Services of the pending change.

Initiating a Change Request

Two possible options at this point:

Use a standard form --- modification of the Hospital Change Planning Form to meet University and Hospital Needs.

Or

Use change control software. We are currently waiting approval to purchase the change control module to be used with Peregrine (the Universities help desk software). This option makes more since due to the fact that we will be able to track the changes in a database as well as attach all support documentation needed through the change control process.