APPENDIX TO POLICY
Change Control Standard
To control and manage the changes to IT resources.
The following table identifies when to use a change control process.
|CC.A.01||Multi-user systems with Private-Highly Restricted data||Required||Required||Recommended|
|CC.A.02||Multi-user systems with Private-Restricted data||Required||Recommended||Optional|
|CC.A.03||Systems with no data||Required||Recommended||Optional|
|CC.A.04||Systems in scope for PCI-DSS||Required||Required||Required|
|CC.A.05||Software development and implementation||Required||Recommended||Optional|
|CC.A.06||Multi-user systems with Public data||Recommended||Recommended||Optional|
Change Control Requirements
The following table identifies baseline security requirements for a change control process.
|CC.B.01||Document and use a change control process||Required||Recommended||Optional|
|CC.B.02||Document the decision to approve or deny the implementation of the change request||Required||Recommended||Optional|
|CC.B.03||Establish segregation of duties for those who develop, implement, or approve changes||Required||Recommended||Optional|
|CC.B.04||Define and document acceptance criteria for change request||Required||Recommended||Optional|
|CC.B.05||Maintain separate development, test and production environments||Required||Recommended||Optional|
|CC.B.06||Prevent private-highly restricted or private-restricted data from appearing in development and test environments unless the environment meets the same requirements as the production environment||Required||Recommended||Optional|
|CC.B.07||Define and document procedures for transfer of software from development, test and production environments||Required||Recommended||Optional|
|CC.B.08||Assess and document the potential impact of changes to the confidentiality, integrity and availability of University information or service prior to implementation of the change request||Required||Recommended||Optional|
|CC.B.09||Develop and document rollback procedures to reverse and recover from unsuccessful changes||Required||Recommended||Optional|
|CC.B.10||Communicate changes to appropriate audiences||Required||Recommended||Optional|
|CC.B.11||Track/log changes to IT resources||Required||Recommended||Optional|
This standard applies to IT resources owned or contracted by the University.
This standard applies to University community members who use or manage University IT resources.
More information on Change Control
- November 2014