University of Minnesota  Appendix

Change Management Standard

Sidebar

Expand all

Sidebar

Table of Contents

TOC placeholder

Governing Policy

Questions?

Please use the contact section in the governing policy.

Objective

To control and manage the changes to IT resources. Changes include but are not limited to security patching, configuration changes, firewall rule changes, system and application upgrades, application deployment and maintenance, software/application development and maintenance, critical infrastructure changes (e.g., storage, networking, networked life safety, and power management systems).

Security Controls

Change Control Requirements

The following table identifies baseline security requirements for a change control process for normal changes, emergency changes, pre-approved changes, etc.

Control Security Level
ID Description High Medium Low
CM.A.01 Periodically review, and follow a change control process Required Required
Effective July 2019
 Recommended
CM.A.02 Establish segregation of duties for implementation and approval of changes Required Recommended Optional
CM.A.03 Define and document procedures for transfer of software from non-production and production environments Required Required
Effective July 2019
Recommended
CM.A.04 Communicate changes to appropriate audiences Required Recommended Optional
CM.A.05 Track/log changes to IT resources Required Required
Effective July 2019
Recommended

Change Control Documentation

The following table identifies baseline security requirements for documenting a change request.

Control Security Level
ID Description High Medium Low
CM.B.01 Define and document approval and escalation criteria for change requests Required Recommended Optional
CM.B.02 Develop and document rollback procedures to reverse and recover from unsuccessful changes Required Recommended Optional
CM.B.03 Assess and document the potential impact of changes to the confidentiality, integrity and availability of University information or service prior to implementation of the change request Required Recommended Optional
CM.B.04 Test changes that are high impact prior to implementation of the change request Required
Effective July 2019
Recommended Recommended
CM.B.05 Verify that information security requirements continue to be met by the change1 Required
Effective July 2019
Required
Effective July 2019
Recommended
CM.B.06 Update applicable documentation (e.g., architecture diagrams, data flow diagrams, procedures) upon completion of a change Required
Effective July 2019
Recommended Optional
CM.B.07 Document the decision to approve or deny and the success or roll-back/failure of the implementation of the change request Required Required
Effective
July 2019
Optional

1PCI DSS requires all changes are tested for compliance with PCI DSS requirements for systems that store, process, or transmit cardholder data, or support the credit card processing environment

Resources Covered

This standard applies to IT resources owned or contracted by the University.

Individuals Covered

This standard applies to University community members who use or manage University IT resources.

Related Information

Published Date

November 2014

Last Reviewed

April 2019