Skip to Content

Information Security Office

Network is experiencing difficulties.

Policy Index
Change Control
Change Management Standard
Number: 8055.0 Revised: August 15, 2010

Change management refers to the process for controlling and maintaining security when changes are made to the configuration or operation of a device or application. All changes and additions must be made using an orderly process that carefully considers possible security compromises that may be introduced. The requirements identified here are to establish a minimum change management baseline practice to ensure the secure posture of both critical systems/devices and systems/devices that handle Level 1 data. Most additional change management practices are recommended as best practices but not required for security.

Scope

Systems that must follow this standard are Critical systems as defined in the Supplemental Information Security Policy section 8045.100 Security of Servers and Network Attached Devices.  While networking equipment and servers supporting a critical service are always included, all network attached device that meet any of the critical services must also follow change management standards (i.e. workstations, laptops, etc.).
Any ‘significant’ changes must be managed through the Change Management process. Significant changes are any changes that potentially impact the security posture and availability of a system.  The following are considered significant changes (the list is not inclusive):

  1. Upgrading from one version of software to the next version

  2. Adding a new service

  3. Implementing new security control (i.e. firewall, IP table and IPS)

  4. Removing a security control

  5. Change the IP address or re-zoning an existing IP address on the network

  6. Performing any maintenance that will make the service un-available

  7. Performing any activity, considering past experience and industry/vendor treads, that is reasonable likely to make the service un-available

The following are generally not considered significant changes:

  1. Patching using certified processes during a published maintenance window

  2. Modifying a firewall/IP table rule to include new IP/IP ranges for use under existing rules

  3. Performing maintenance on a system in a clustered/redundant environment that allows the main service to remain persistent

Change Management Process

The Information Security Officer shall define critical systems that must follow campus change management guidelines and shall inform managers of those systems of all change management requirements. In cooperation with the Associate Vice President for Administrative Computing, the ISO shall maintain a Sharepoint site for change management and shall provide access to all applicable users.  The Sharepoint change management site shall delineate the process for submitting and approving changes to the campus Change Management Group. Clarification regarding “critical systems” and “significant changes” will be determined by the Information Security Office, as will exceptions to the change management requirements.


As an assigned campus Change Management participant you must:

  1. Review and take action on all change control communications.

  2. Document all required change control procedures for systems under your administration.

Each change procedure must:

  • Identify and document all required changes.

  • Assess the potential impact of changes, especially security implications.

  • Identify the manager and System Owners as approval authorities before submitting to the Change Management Group.

  • Document the required change and review and approval by the designated change control authority on the mySacShare SharePoint Weekly Maintenance Schedule site.

  • Identify methods for scheduling and appropriate notification of significant changes.

  • Identify methods for notification to end users of scheduled changes and expected impact.

  • Document ability to terminate and recover from unsuccessful changes.

  • Test procedures to ensure the change is functioning as intended prior to deployment.

  • Update all appropriate system documentation upon the completion of a significant change.

  • Provide after action status to be documented on the Weekly Maintenance Schedule site 

Back to to Sacramento State Information Security Policy Website

Feedback/Questions/Comments