Scribd Logo
Upload

Welcome to Scribd!

  • Change Control Policy

    Uploaded by

    Mohammad Faisal Zaland
    7 views7 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    7 views7 pages

    Change Control Policy

    Uploaded by

    Mohammad Faisal Zaland

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 7

    Change Control Policy

    ICT Directorate, Ministry of Finance


    Kabul, Afghanistan

    The policy describes the rules and regulations in the change of ICT resources and provides
    details on the roles and responsibilities and further related policies and procedures.
    Change Control Policy
    

    Policy No: 5
    Policy Name: Change Control Policy

    Effective Date: 01, September 2020

    Date of Last Revision: 20, August 2020


    Version No: 1

    Responsible Person: Dilawar, ICT Advisor

    Contact Information: dilawar.khan@mof.gov.af

    Applications, Network Devices, Network


    Applies to:
    Infrastructure, ICT Services

    Version History
    Revision
    Version Approved By Description Author
    Date
    1 DM Admin 20/07/2020 Initial document Mr. Dilawar

    Approval And Review

    1
    Change Control Policy
    

    Purpose
    The purpose of this policy is to ensure that all changes to application, network devices, network
    infrastructure and ICT services minimizes any potential negative impact on services and users
    provided by ICT Directorate.

    Scope
    This policy and all policies referenced herein, shall apply to all members working in the decision
    process and change management of the application development, network design and
    infrastructure, and ICT services.

    Policy Statement
     The change request should be prioritized based on the type of change (emergency,
    standard, major, normal).

     Request related to failure in power systems, connectivity failures, security incidents, system
    crashes, system reports, and other common as mentioned that leads to stop the operation
    are considered as request for emergency change.

     Requests related to software maintenance, permissions and access to ICT services (IP phones,
    emails, share folders, connectivity etc…) are considered as requests for standard changes.

     Requests having significant financial implications and impacts on operation and resources
    such as migration of systems, integration of systems, establishing new systems, and related
    operations are considered as request for major changes.

     Changes should be examined for security implications through the participation of the
    security administrators.

     The impact assessment of change should be clearly performed by Change Control


    Committee before putting the change requests to implementation. The information will
    be used to determine the impact of the changes by considering:

    o The impact of proposed change that will have on operations.

    o The risk involved in not making the change.

    o The risk if the change does not go as planned.

    2
    Change Control Policy
    

    o Predictability of the success of the change.

     The Change Control Committee should do tasks/activities division and association of


    personnel after approving the change requests.

     For ensuring appropriate approval, planning, and execution all ICT resources changes
    which comes under the type of normal, standard, and major change should follow the
    change control process.

     The change initiator should note that the change has been successfully applied, tested,
    and verified in a non-production environment when an applicable environment(s) exists.

     Impact assessment of changes to production environment should be done before the


    submission of the change request as per the change control process.

     Change requests may not be required for non-production environments unless there is a
    significant upgrade or an impact.

     As per the change control process all ICT resources changes should be clearly
    documented.

     A lesson learned session should occur in the event of an incident during a change
    request.

    Terms and Definitions

    It is a systematic approach to managing all changes made to


    ICT Resources. The purpose is to ensure that unnecessary
    Change Control changes are not made, that all changes are documented,
    that services are not unnecessarily disrupted, and that
    resources are used efficiently.

    3
    Change Control Policy
    

    It includes computing, networking, communications,


    application, and telecommunications systems, infrastructure,
    ICT Resources hardware, software, data, databases, procedures, physical
    facilities, cloud-based vendors, Software as a Service (SaaS)
    vendors, and any related materials and services.

    The Request for Change is formal request for the


    implementation of a Change. The RFC is a precursor to the
    Request for Change
    'Change Record' and contains all information required to
    approve a Change.

    Exceptions
     Unexpected and emergency changes requests that occurs due to unplanned and
    unconditional events where immediate action is required.

     Changes in the organizational and human resource activities.

    Related Policies and other References


     Change control process

     Change control procedure

     Information security policy

     Patch management policy

     Risk management plan

    Roles and Responsibilities


    Role Responsibility

    4
    Change Control Policy
    

     Authorize and approve minor/low change.


     Coordinate and conduct meetings with Change
    Control Committee to discuss higher risk changes.
    Change Manager
     Authority to implement or reject a change.
     Ensures that all the activities designed to implement
    the change are as per the standards.

     Reviewing the Change Requests.


     Assessing the impact, risks, and results of Change
    Change Control Committee Requests.
     Reviewing the change implementation plan and
    other additional supportive documents.

     Provide necessary information to the owner of the


    Change Request.
     Attend CCC meeting and provide necessary inputs to
    them.
    Change Initiator  Review and document change plan.
     Resolve issues related to change.
     Updates the user with the change activity.
     Support and involve in testing activities before and
    after the implementation of change.

    5
    Change Control Policy
    

     First level approval to a RFC before it goes to CCC


    review.
     Review all RFC’s submitted by the change initiator
     Ensure all necessary documentation are done prior to
    Change Approver approval.
     Request for a review from technical peer who will
    ensure that all technical steps are appropriate and
    correct.
     Approve or Deny the RFC.

    Disclaimer Statement
    Deviations from policies, procedures, processes, or guidelines published and approved by ICT
    Directorate can only be done cooperatively between the ICT Directorate authorized personals
    and the requesting entity with sufficient time to allow for appropriate risk analysis,
    documentation, and possible presentation to ICT Directorate. Willful failure to adhere to ICT
    Directorate written policies will meet governmental laws and regulations.

    You might also like