APPENDIX TO POLICY

Change Control Standard

Objective

To control and manage the changes to IT resources.

Security Controls

Change Control

The following table identifies when to use a change control process.

Security Level
ID Description High Medium Low
CC.A.01 Multi-user systems with Private-Highly Restricted data Required Required Recommended
CC.A.02 Multi-user systems with Private-Restricted data Required Recommended Optional
CC.A.03 Systems with no data Required Recommended Optional
CC.A.04 Systems in scope for PCI-DSS Required Required Required
CC.A.05 Software development and implementation Required Recommended Optional
CC.A.06 Multi-user systems with Public data Recommended Recommended Optional
Change Control Requirements

The following table identifies baseline security requirements for a change control process.

Control Security Level
ID Description High Medium Low
CC.B.01 Document and use a change control process Required Recommended Optional
CC.B.02 Document the decision to approve or deny the implementation of the change request Required Recommended Optional
CC.B.03 Establish segregation of duties for those who develop, implement, or approve changes Required Recommended Optional
CC.B.04 Define and document acceptance criteria for change request Required Recommended Optional
CC.B.05 Maintain separate development, test and production environments Required Recommended Optional
CC.B.06 Prevent private-highly restricted or private-restricted data from appearing in development and test environments unless the environment meets the same requirements as the production environment Required Recommended Optional
CC.B.07 Define and document procedures for transfer of software from development, test and production environments Required Recommended Optional
CC.B.08 Assess and document the potential impact of changes to the confidentiality, integrity and availability of University information or service prior to implementation of the change request Required Recommended Optional
CC.B.09 Develop and document rollback procedures to reverse and recover from unsuccessful changes Required Recommended Optional
CC.B.10 Communicate changes to appropriate audiences Required Recommended Optional
CC.B.11 Track/log changes to IT resources Required Recommended Optional

Resources Covered

This standard applies to IT resources owned or contracted by the University.

Individuals Covered

This standard applies to University community members who use or manage University IT resources.

Related Information

More information on Change Control

Published Date

  • November 2014

Document Feedback