World Agroforestry Centre Policy Series MG/C/11/2009 ILRI Policy Series ICT Change Management Policy One of the policies on information security and business continuity which will be audited by the CGIAR Internal Audit Unit for all Centres given (a) their network inter-linkage through Active Directory and (b) the inter-reliance of many Centres for information backup and recovery of hosted outreach sites. Document Revision History Version Date Author(s) Revision Notes 1.0 29/10/2009 Ian Moore Final draft circulated to staff Document Control The ICT Manager of the common services unit providing ICT Services to the World Agroforestry Centre and ILRI will maintain control of the document which will be reviewed every two years in conjunction with the ICT Steering Group. Information Security – ICT Change Management Policy 1 Proposed updates will be presented to the Centres’ senior management for adoption according to their organizational arrangements for approval of ICT policies. Upon acceptance by the Centres, the update will come into force. Any discretionary controls added by a Centre may be reviewed annually; however updates may occur more frequently if deemed necessary. Purpose The purpose of this document is to communicate the Centre’s policy on managing changes to ICT infrastructure and systems. The change process ensures that standardized methods and procedures are used for efficient and prompt handling of all changes, in order to minimize the impact of change-related incidents upon service quality, and consequently to improve the day-to-day operations of the Centre. This document is aligned to the framework defined by the ITIL. Scope The policy addresses the management of the change management life cycle from recording a request for change (RFC), classification, evaluation, authorisation, scheduling, testing, implementation, and review till closure of the requested change. The scope covers all Centre ICT related infrastructure systems and equipment, applications, services, organisation and documentation that the staff of the Centre rely on, in order to perform their normal duties. This policy applies to all permanent and temporary staff within the Centre as well as contractors and visitors who work and/or visit the Centre who have a stake in any changes occurring in the Centre’s ICT Service environment. Implementing this policy is an important component of ensuring that potential threats to the overall ICT security position of the Centre are managed effectively. This is particularly the case given the shared CGIAR electronic network, which has created inter-dependency among Centres with respect to network security. 1. Change Management 1.1. All changes to configurations, systems, applications or equipment that could potentially affect the work of more than one person should follow the appropriate ICT change management procedures to minimise adverse impacts of those changes to business operations and the users of ICT Services. 1.2. All changes require a Request for Change (RFC) to be submitted by a person authorised to initiate the change. All RFCs will be classified based on category and urgency and the procedures for change management appropriate to the classification should be followed. 1.3. All change management procedures should include the following activities: • Change Initiation Changes should be initiated by an authorised person and contain enough information to evaluate the business benefits and the risks associated with the change. • Change Classification Information Security – ICT Change Management Policy 2 Each change should be classified according to the category of change requested and the urgency of the request. This will be used to determine the procedures that are to be followed. • Change Evaluation The evaluation will take into consideration: the feasibility; human and physical resource requirements and costs; impact on the services provided to internal and external customers during the change; impact on services provided following the change; information security and risks. • Change Authorisation A designated manager for the functional area should authorise the change based on the recommendation of the evaluation. • Scheduling of Change The change should be scheduled at a time that will minimise disruption to services given the urgency of the request. Notification on the time, duration and services that could potentially be affected should be sent to all customers potentially affected by the change. • Build and test of change (including roll-back plan) The roll-back plan should be developed and implemented before the change is carried out. Where required by the procedures the change should be tested successfully in a test environment before the change is implemented. • Change implementation The change should be made at the scheduled time and customers should be notified on the results of the change once complete. • Review and Closure All changes should be reviewed once complete to ensure that the objectives have been met and any lessons learnt have been documented. 1.4. All change management procedures should involve the following roles: • Change initiator The person authorised to request changes to the process. • Change Manager/authoriser The person, who reviews the evaluation, authorises and oversees the change process. • Change implementers The team or person, who carries out the evaluation and the implementation of the change. • Process owner The owner of the process being changed, who confirms closure following the successful completion. 1.5. All change management procedures should indicate the level of involvement of each role in each activity. The level of involvement should be one of the following: • Responsible • Accountable • Consult • Inform Information Security – ICT Change Management Policy 3 2. Related Documentation 2.1. ICT change management procedures 3. Compliance and Waivers 3.1. Compliance with this policy by users, network administrators, or others responsible for implementation of the policy, is mandatory. Procedures are in place to monitor compliance with this policy. 3.2. Violations of this policy may result in disciplinary action in accordance with the human resources policies of the Centre. 3.3. Requests for waivers of this policy shall be formally submitted to the Senior Manager. The requests shall set out the justification, duration of the proposed waiver and how the increased risk arising from the waiver will be managed. Requests will be approved by the Senior Manager of the person making the request, in consultation with the ICT Manager and will be documented in the form of a management letter. 3.4. Approved waivers shall be monitored to ensure that the conditions of the waivers are being observed. Definitions • Change: the addition, modification or removal of authorised, planned or supported service or service component and its associated documentation. • ITIL: Information Technology Infrastructure Library is a series of documents providing guidance on implementation of a framework for IT Service Management. ITIL is a registered trade mark of the Office of Government Commerce in the United Kingdom and other countries. • Senior Manager: The person on the Centre’s management committee (MC/SLT) who has responsibility for the person making the request. Information Security – ICT Change Management Policy 4