6.29 CHANGE CONTROL
Effective: August 15, 2024
Purpose: Emporia State University understands inappropriate introduction of upgraded software can impact the integrity and confidentiality of computing systems, the services they provide, and the data that resides within them. In addition, an improperly prepared or implemented change to infrastructure or systems can significantly impact availability of key systems. A change is defined as, but not limited to:
- Upgrade to software or hardware of an enterprise system or server;
- Enhancement or deployment of new server or server functionality;
- Upgrade of network infrastructure or telephone system.
This policy outlines ESU’s commitment to adopt standard methods and procedures when altering the information technology environment in order to minimize the risk of negative impacts to information and technology services offered and managed by Information Technology (IT).
Scope: This policy applies to all information technology services, servers, and infrastructure managed by IT and Unit Support Personnel.
Responsible Office: Information Technology
Policy Statement: Unit Support Personnel are encouraged to follow the Change Control Procedures developed by IT on systems they manage.
The Information Security Officer (ISO) has the responsibility to:
- Work with IT teams to develop, support, and maintain formal Change Control Procedures for university systems and infrastructure managed by IT; and
- Advise Unit Support Personnel to consider adopting formal Change Control Procedures.
IT personnel have the responsibility to:
- Identify the need for changes and originate a Request for Change (RFC) as per the Change Control Procedures and provide input for the IT management team and stakeholder groups as needed for review of request; and
- Review, test, communicate, and implement approved changes to affected stakeholders.
The Chief Information Officer (CIO) or designee is responsible for monitoring and reporting compliance with this policy. In all cases, information will be disclosed as required by controlling law.
Formal Change Control Procedures must be followed for installation and modification of any information technology infrastructure or enterprise system managed by IT, including but not limited to servers, software, telecommunications, and network infrastructure.
Definitions: All words and phrases shall be interpreted utilizing their plain meanings unless otherwise defined in another University or Board of Regents policy or by statute or regulation.
Procedures: All procedures linked and related to the policies above shall have the full force and effect of policy if said procedures have first been properly approved by the University’s administrator in charge of Information Technology.
[Information Technology procedures - coming soon]
Related Policy Information: [coming soon]