Change Control Supplemental Policy
Number: 8055.0 Revised: August 15, 2010
Any changes to the configuration or management of servers, computers, and other network attached devices must be done in a manner that ensures continued information security. Therefore, all campus information and network systems designated as critical, business and vulnerable (see 8045.100) must follow Change Management Standards as defined by the Information Security Officer. Formal review and approval by the Information Security Officer or his designees is required prior to deployment of all changes identified as having significant potential for increasing information security risk. Changes typically defined as ‘significant’ include, but are not limited to : implementation of new information technology production systems; software and operating system version upgrades; implementation of new or removal of existing security components; updates to applications and websites handling Level 1 and 2 data, as well as other system changes defined by the Information Security Officer.
8055.200 Emergency Changes
It is recognized that emergency changes to campus information assets are sometimes required to maintain business processes. Emergency changes are defined as changes which, due to urgency or criticality, must occur outside the formal change management process. Such emergency changes must be authorized in writing by the Information Security Officer. Emergency changes may be pre-authorized by submitting formal emergency change procedures to the Information Security Officer for prior review and acceptance. Any such pre-authorized emergency changes must be promptly documented to the Information Security Officer.
Back to to Sacramento State Information Security Policy Website