Contents

1Change Management

1.1Change Management Policies and Standards

1.1.1Zero Tolerance for Unauthorized Changes

1.1.2Segregation of Duties in Production

1.1.3Change Maintenance Windows

1.1.4Peak Season Change Lock Downs

1.1.5Emergency Change Requests

1.1.6Authorized Access Controls to Production

1.1.7Change Accountability and Responsibility

1.1.8Change Schedule Prioritization Standard

1.1.9Change Advisory Board Standards

2Change Management Process

2.1Change Management Workflow

2.2Standard Change Request Submission

2.3Normal Change Request Submission

2.4Emergency Change Request Submission

2.5Change Approval by the CAB

2.6Change Added to Change Calendar

2.7Change Implemented

2.8Post-implementation Review

3Change Management Resources

3.1The Change Calendar

3.2The CAB Dashboard

3.3Terminology

1Change Management

Change Management is an approval process that allows a change request to move through a series of approval stages. Change Management is based on policies and standards that must be adhered to.

1.1Change Management Policies and Standards

The following policies and standards have been developed in order to protect revenue and ensure the business value of change is actualized without undue risk to the business. The following is the list of policies and standards.

Zero Tolerance for Unauthorized Changes

Segregation of Duties in Production

Change Maintenance Windows

Peak Season Change Lock Downs

Emergency Change Requests

Authorized Access Controls to Production

Change Accountability and Responsibility

Change Schedule Prioritization Standard

Change Advisory Board Standards

1.1.1Zero Tolerance for Unauthorized Changes

In order to foster a culture of change management, the following policy establishes zero tolerance for unauthorized changes in the production environment.

•All changes to the production environment (App/Dev, DBA, Server, Storage, Network, DC and Security) must be recorded in the change management system prior to production release.

•All changes must be reviewed and approved by the Change Advisory Board prior to implementation.

•Approval from Business/Product leaders must be completed before submitting a change request.

•Failure to meet these requirements will result in immediate discipline, up to and including termination.

•All changes to Development, Quality Assurance, and Staging Environments are out of scope unless it is a shared technology with production. This includes network, storage, and other shared services.

•Any Disaster Recovery Environment is considered production and is in scope for change management.

•Any unauthorized changes to production must be reported to the Change Advisory Board

1.1.2Segregation of Duties in Production

The implementation of changes to production may only be completed by operations staff members approved to implement change. This policy explicitly excludes development, QA, or business teams from implementing change to the production environment. Approved teams to implement change include:

Application Systems Administration

•Storage

Database Administration

Technical Support

1.1.3Change Maintenance Windows

The following change maintenance windows have been pre-approved by the business for implementing changes that require application downtime for clients.

Application andNetwork Infrastructure: Saturdays, between 8:00 pm and Midnight, Standard time

1.1.4Peak Season Change Lock Downs

During critical peak seasons all Normal Changes will be limited and require approval from the Emergency Change Advisory Board. The following peak seasons have been pre-approved by the business and represent sensitive times where change must be limited to protect revenue. This policy may be implemented at unplanned times with business and IT approval.

•Holiday Season: The week prior to Thanksgiving to the week following New Year’s Day

1.1.5Emergency Change Requests

Approval may be given by Senior Management verbally or via email in cases where access is limited.

The following characteristics are typical of an Emergency Change and requests must meet these characteristics to be considered for approval.

•Tied to an Active Incident

•Represent a critical risk to revenue if it is not resolved immediately

•Must be implemented before next CAB Meeting

1.1.6Authorized Access Controls to Production

Access to production systems must be limited to employees, vendors, and contractors who have been authorized to make changes to the production environment. IT Owners and change owners are responsible for ensuring all production systems have been secured to authorized personnel only. Remediation plans must be established to remove access within a reasonable amount of time.

1.1.7Change Accountability and Responsibility

All participants in the Change Management process have established roles and responsibilities. Each participant will be held accountable for the execution of these duties according to the established methodology.

1.1.8Change Schedule Prioritization Standard

Priority / Characteristics
Immediate / Treat as Emergency Change
High / Highest priority for scheduling and resources
Severely affecting some key users
Impacting high number of users
Medium / No severe impact
Maintains business viability
Supports Planned Business Initiatives
Cannot wait until next schedule release or maintenance window
Low / Justified and necessary
Can wait until next scheduled release or maintenance window
Add new functionality
Improvements to service

1.1.9Change Advisory Board Standards

The Change Advisory Board is the central point of management for the change management process. The following requirements and standards are expected of the Change Advisory Board:

•Attendance is required either by CAB member or a delegate who can authorize decisions on their behalf

•IT Owner is required to attend to have their changes approved with no exception

•Purpose of the CAB is for final approval, not for technical discussion about the change

•Changes must be approved by the Business/Product owners before submitting to the CAB

•After changes are implemented, the request must be updated with implementation results for review

2Change Management Process

The Change Management process follows a workflow, which is identified in this section.

2.1Change Management Workflow

•Standard or Normal Change Request Submission

•Emergency Change Request Submission

•Standard or Normal Change approval from CAB Members (In the case of an Emergency Change, approval from Senior Managementis required)

•Change scheduled on the Change Calendar

•Change is implemented(In the case of an Emergency Change, it likely will not occur on the established dates for change implementation, but ASAP)

•Post-implementation review

Change Management Process Illustration

2.2Standard Change RequestSubmission

A Standard Change Request is a pre-approved change that is well-known, low-risk, follows established procedures and is an accepted response to particular requirements or events. These are changes that get pre-approved as they are low risk, proven, and well-documented. Standard Changes follow the same process when getting approved for the first time; however each individual implementation of a Standard Change is automatically approved. This ensures visibility is maintained, yet establishes controls up front to ensure standard changes move quickly through the process.

Standard Change examples may include:

•Hardware failure fixed by vendor

•Download and installation of virus DAT files

•Installation of approved software

•Replacement of a desktop computerbased on approved replacement cycle

•Application of tested operating system patches.

2.3Normal Change Request Submission

Normal Changes represent the majority of all changes. They follow the full change management process and require assessment and approval for every change implementation. Submitting requests as Normal require them to be reviewed and approved by the CAB before the change can be applied by the owner. The owning team’s time and resource constraints still apply.

Examples of types of Normal Change Requestsare:

•Adding columns or indexes to existing tables

•Removing columns, indexes or any objects

•DML requests

•Deleting data, etc.

2.4Emergency Change Request Submission

An Emergency Change Request is a change that requires immediate unscheduled implementation to correct an existing or prevent an imminent service outage or disruptionthat cannot be communicated at a CAB meeting before implementation. There are no exceptions to this approval process.

2.5Change Approval by the CAB

AChange Request is evaluated and approved, and then a release is planned and scheduled by the CAB. The CAB meets each weekday morning. Unless it is an emergency, Standard and Normal Change Requests need to be submitted and approved two days prior to a release or deployment. Releases occur during the Weekend Maintenance Window, so Change Requests need to be submitted to the CAB by or before 8:00 am each Wednesday.

The CAB meets each business day at 10:00 am on the 18th Floor and is generally made up of Tech Support, Engineeringand Product Management representatives that include: the Leader (Change Manager). AccountManagers attend as required. Off-site members can attend via teleconference and/or WebEx.

2.6Change Added to Change Calendar

Once approved, a change is scheduled for implementation and placed on the Change Calendar. The CAB also serves as a governance body for the change management process leading to implementation and review.

2.7Change Implemented

When the scheduled change is to be implemented, the CAB watches over the process. If it is successful, the implementation is complete. If there is an unforeseen issue created by the change, then the Change Rollback Planwritten on the Change Request submission is implemented and the change is removed via rollback.

2.8Post-implementation Review

Whether the change is successful and does not create an unforeseen issue or creates a rollback situation, the change needs to be reviewed by the CAB at a CAB meeting soon after the implementation step.

3Change Management Resources

The following Change Management Resources are available for employees.

3.1The Change Calendar

The Change Calendar lists and details all scheduled changes on an actual calendar format.

3.2The CAB Dashboard

The CAB Dashboard is kept up to date, and includes lists of Standard Changes (if any)as well as Normal Changes up for assessment and approval. It also displays the Change Calendar.

3.3Terminology

Change: Any implementation of new functionality, any interruption of service, any repair of existing functionality or any removal of existing functionality.

Change Approver: The individual or individuals responsible for approving a change. It is recommended that all but the least complicated and lowest risk changes be approved by the Change Approval Board.

Change Calendar: A calendar containing the change requests and change datesplanned for implementation. These changes are scheduled and published. The Change Calendar keeps all parties informed of when a particular application will be down for maintenance and when it will be restored.

Change Requester: The individual or team submitting the Request for Change.

Change Approval Board: A cross-functional team comprised of individuals with relevant business process and technical expertise that act in the role of Change Approver.

Emergency Change Request: A change that requires immediate or near-immediate unscheduled implementation to correct an existing, or prevent an imminent, service outage or disruption.

Impact: How the level of service is affected in the event of potential negative consequences resulting from both implementation of the change or failure to implement the change.

Normal Change Request: The majority of all changes,these change requests follow the full change management process and require assessment and approval for every change implementation. Submitting requests as Normal require them to be reviewed and approved by the CAB before the change can be applied by the owner.

Request for Change: Also called a RFC or a Change Request, it is a form outlining details of the change that is submitted to the Change Approver or Change ApprovalBoard for approval as part of the Change Review Process.

Risk Assessment: The identification and analysis of risks, their impact and mitigating measures.

Rollback Plan: A plan for rolling back the change in the event of negative consequences.

Standard Change Request: A pre-approved change that is well known, low-risk, follows established procedures and is an accepted response to particular requirements or events.

Urgency: The needed time frame in which the change should be implemented.

Change Management1