Policy Number:

 Effective Date:
 Prior Policy Number:

 Last Updated:

 Associate Chief Information Officer

Robert Morris University’s computing systems, technology architecture, and computer-embedded devices (“Internet of Things”) are essential to fulfill the university’s mission. Each system may have dependencies on data received, processed or stored by another system or component within the integrated system. A change to any part of the system or an associated system can result in information security weaknesses, which could be exploited to reduce the quality or reliability of business operations. Change management is especially important for online operations conducted by Robert Morris University due to the high rates of change. The change management discipline gives service managers control of service priorities by providing the procedures to safeguard existing services and safely introduce new services.

Policy Statement
Robert Morris University will maintain a formalized process to implement change controls for critical information systems that collect, process or store cardholder data or other sensitive information. 
While the Robert Morris University Systems development Life Cycle will cover the development, acquisition, and implementation of new systems or significant updates, this policy provides the guidelines to manage smaller changes in systems or processes that may adversely impact the confidentiality, integrity or availability of critical Robert Morris University services and data to include cardholder information. 

This policy applies to all Robert Morris University employees, contractors, vendors, and any other persons using or accessing Robert Morris University sensitive information or information systems.
Robert Morris University services and data to include cardholder information.

Robert Morris University will manage four types of system changes to guide implementation of the change control process. 

   Standard  Minor Changes Significant Changes  Major Changes
Description of change  A change that has been performed before and is part of the operational practice of the business—for example, an update to a user profile, Windows updates, creation of firewall objects and rules, addition of DNS records, password changes, etc.  Standard changes are preapproved and do not need to go through an approval process.  Repair system faults and deployment of emergency system patches to protect against vulnerability warnings to include virus alerts. Update or upgrade existing systems to include major system patches or significant changes to system configuration to meet a new policy, security guideline or business requirement.  Changes include both hardware and software components.  Major changes include development of new systems, new functions or replacement/removal of entire systems.
Change Cycle  N/A  Hours or Days  Weeks  Months
Pre-change Requirements  N/A Develop a change plan to include back-out procedures. Conduct a risk analysis of the change.
Develop a change plan to include back-out procedures.
Conduct a risk analysis of the change.

Develop a change plan to include back-out procedures.

Backup systems being affected by the change.
Approval Required  N/A  IT Director Approval by the all IT Management is required in advance unless it is an Urgent change.
Urgent changes require the same pre-approval and post deployment documentation as minor changes.
All major changes must be designed, tested, deployed and documented per the Systems Development Life Cycle (SDLC) Plan.
Post-change Requirements Must be logged or otherwise recorded according to the procedure for the standard change. After the change is made, system documentation, operations processes and configuration documentation will be updated.

The change will also be logged in the Change Control Log and report to the IT Committee at the standing weekly meeting.

After Deployment, notify the IT Committee and post to the change log.
Same as minor changes. System changes must be documented per the SDLC Methodology.

  • Conduct a needs analysis to specify requirements for a change and prioritize the timing and methodology to implement changes based upon the business need. The change control system will accommodate immediate updates to patch system vulnerabilities and implement required virus protection at the same time accommodating systematic architectural changes to critical systems or applications.
  • Conduct a risk assessment to identify controls required to be maintained or added to meet risk control objectives.
  • Document all system changes and update all operating guides affected by the change. The Change Request form must be completed and approved by the IT Steering Committee. Change documentation must include documentation of impacts to the customer.
  • Depending on the type of change, the change must be approved prior to making the change as specified in the table above.
  • Conduct a test of all changes prior to deployment on a production system.
  • Prepare a backup of all critical data and prepare a back-out plan