Change Management Guideline

ICT infrastructure change management guideline

QGEA

ICT infrastructure change management guideline

Final

September 2010

v1.0.0

PUBLIC

ICT infrastructure change management guideline

QGEA

Document details

Security classification / PUBLIC
Date of review of security classification / September 2010
Authority / Queensland Government Chief Information Officer
Author / Queensland Government Chief Technology Office
Documentation status / Working draft / Consultation release /  / Final version

Contact for enquiries and proposed changes

All enquiries regarding this document should be directed in the first instance to:

Director, Technology Architecture and Strategy
Queensland Government Chief Technology Office

Acknowledgements

This version of the Queensland Government Enterprise Architecture (QGEA) ICT infrastructure change management guideline was developed and updated by the Network and Security Architecture Team, Queensland Government Chief Technology Office (QGCTO).

Feedback was also received from a number of agencies, which was greatly appreciated.

ICT infrastructure change management guideline

Licence

ICT infrastructure change management guideline by the QGCTO is licensed under a Creative Commons Attribution 2.5 Australia Licence.

To attribute this material, cite the Queensland Department of Public Works.

Information security

This document has been security classified using the Queensland Government Information Security Classification Framework (QGISCF) as PUBLIC and will be managed according to the requirements of the QGISCF.

Contents

1Introduction

1.1Purpose

1.2Audience

1.3Scope

2Background

3Change management

3.1Roles and responsibilities

3.2Change management procedures

3.3Assessment, prioritisation and authorisation

3.4Emergency changes

3.5Change status tracking and reporting

3.6Change closure and documentation

Final v1.0.0, September 2010

Page 1 of 7

PUBLIC

ICT infrastructure change management guideline

QGEA

1 Introduction

1.1 Purpose

A Queensland Government Enterprise Architecture (QGEA) guideline provides information for Queensland Government agencies on the recommended practices for a given topic area. Guidelines are generally for information only and agencies are not required to comply. They are intended to help agencies understand the appropriate approach to addressing a particular issue or doing a particular task.

This guideline specifies the Queensland Government’s recommended approach to change management.

1.2 Audience

This document is primarily intended for:

agency staff responsible for implementing changes
agency staff responsible for approving changes
agency staff responsible for maintaining change management documentation.

1.3 Scope

1.3.1 In scope

The discipline of change management should be applied consistently across all domains of the QGEA. This guideline relates specifically to ICT hardware and software assets, including the supporting processes and documentation.

2 Background

The Queensland Government expects that all changes to ICT hardware and software assets, including the introduction of new or replacement technologies, are traceable to business decisions and requirements, and approved by all stakeholders prior to implementation. This standardised approach is designed to ensure that all changes are reviewed and approved in a consistent and co-ordinated manner.

Effective change management will reduce both the frequency and severity of adverse information security and ICT incidents by:

reducing uncontrolled and unapproved changes to ICT infrastructure and processes
improving the governance of ICT infrastructure and processes
ensuring that each agency assesses the potential impact of all changes to, or the introduction of, ICT infrastructure and processes prior to deployment into production environments.

3 Change management

All ICT infrastructure used within an agency either has a well-defined or implied life cycle associated with the intended use. In addition, there are supporting processes associated with managing this environment.

This life cycle covers the introduction of an ICT asset to an agency’s infrastructure, and has associated management activities, including modifications, patches, updates and disposal or retirement. Each stage of the asset life cycle needs to be fully understood by the asset owner and those personnel tasked with managing the asset.

3.1 Roles and responsibilities

Change management is a process that should clearly identify, support and incorporate the following roles and associated responsibilities:

requestors – the people, or regular process, making the change request
Change Advisory Board – a group of people authorised to approve change requests
stakeholders – anyone who has a business interest in the outcome of the change request.

3.2 Change management procedures

Formal change management procedures should be established to control, in a standardised manner, all changes to ICT infrastructure, as well as supporting procedures, processes, and configuration parameters. This ensures that:

changes are managed through a standardised approach that ensures consistency and repeatability
changes are formally reviewed and approved in a consistent and coordinated manner
expectations between all stakeholders are clearly defined and managed.

3.3 Assessment, prioritisation and authorisation

All change requests should be individually assessed using a risk management approach in order to determine the impact on ICT infrastructure, procedures, processes, service delivery and available resources. This ensures that change requests are:

assessed for impact on people, process and technology
prioritised according to resources, service level agreements and service availability
dependent upon the impact severity, authorised by the Change Advisory Board after consultation with, and approval by, key stakeholders.

3.4 Emergency changes

Emergency change requests, outside formal change management procedure, allow agencies to be flexible and agile in response to various threats. Emergency change requests should be:

correctly identified and consistently managed through a standardised approach
formally reviewed and analysed after the change has been implemented to ensure compliance with the formal change management procedure.

3.5 Change status tracking and reporting

The status of all changes, whether completed, in-progress, reverted or rejected should be tracked and reported in order to communicate the progress to all stakeholders. Recording and reporting the current status ensures that all outcomes are traceable and that decisions makers are accountable.

The status of a change request may be one of the following with respect to the original change management request:

completed – where a change has been implemented
in-progress – where a change has not yet been implemented
reverted – where a change was not successful
rejected – where a change was not approved.

3.6 Change closure and documentation

Changes that have been completed, in-progress, reverted or rejected may cause associated documentation to be updated. All relevant and affected documentation should be updated as part of the change management process to ensure that the current state has been accurately recorded. This includes, but is not limited to:

policies, procedures, processes and guidelines
automation of tasks, including workflow software, programs and scripts
architectural documentation
physical and logical network diagrams.

Where possible, these documents should have the ability to be dynamically updated in order to reduce workload on staff resources and the introduction of manual errors.

Version history

Document authors: Peter Nikitser

Filename: Change Management Guideline v0.1.0 - 31.08.10.doc

Change management guideline

Version / Date / Author / Description
0.0.1 / 04/03/2010 / QGCIO / Changed to guideline and updated styles.
0.0.2 / 12/04/2010 / QGCTO / Subsequent draft including feedback from the Information Security Reference Group.
0.0.3 / 13/05/2010 / QGCTO / Subsequent draft including feedback from the Department of Community Services.
0.0.4 / 07/07/2010 / QGCTO / Moved from Draft status to Final document after endorsement by the ICT Security Sub-Committee.
0.1.0 / 31/08/2010 / ICT Governance, Policy and Coordination Office / Updated by Director, ICT Governance, Policy and Coordination Office.

Final v1.0.0, September 2010

Page 1 of 7

PUBLIC