Information Technology Change Management (Policy 8180)
University Policy 8180
February 06, 2023
Office of Information Technology, (208) 426-4357
Executive Director, Development & Business Intelligence Reporting Services, (208) 426-2635
Chief Information Security Officer, (208) 426-4127
Scope and Audience
This policy applies to all colleges, departments, and units, including all computing devices located at or controlled by Boise State University.
- Gramm-Leach-Bliley Act
1. Policy Purpose
To protect University data, provide reliable enterprise tools, and reduce the risk of data loss or loss of service information productivity loss through negligence or intentional harm.
2. Policy Statement
Boise State University is committed to maintaining effective, efficient, reliable, and secure management of its enterprise systems consistent with the mission and goals of the university. All users of the University’s Information Technology (IT) resources are expected to follow the guidelines outlined in this policy.
3.1 Information Technology Change Management
Information Technology Change Management seeks to minimize the risk associated with the additions, modifications or removal of anything that could have an effect on IT services, including changes to the IT infrastructure, processes, documents, interfaces, etc.
3.2 Best Practices
Change management procedures generally recognized by the industry for assuring secure, reliable, scalable, and efficient system management.
3.3 Tier 0 and 1 Systems
Tier 1 systems are the mission critical applications used by the University and are required for operation. Tiers are assigned to services and documented internally in the Office of Information Technology (OIT) Service Catalog. Tier 0 Systems are the infrastructure services necessary to operate Tier 1 systems.
4. Review of Changes
4.1 Standard Changes
Standard Changes are pre-authorized for Tier 0 and 1 Systems. They are low-risk changes associated with well-documented projects and or department procedures. They are documented in a system of record appropriate to the Tier system (for example, all standard changes to PeopleSoft are to be documented in STAT).
4.2 Emergency Changes
Changes that must be implemented immediately; for example, to resolve a Major Incident. These must be approved by a member of OIT leadership, normally the director over the affected Tier 0 or 1 System.
4.3 Normal Changes
All other Changes that are not Standard Changes or Emergency Changes are reviewed, calendared and discussed by the Cross Team Coordination subcommittee (CTC).
4.4 Blackout Periods
OIT leadership will define blackout periods at the first of the semester in which all standard and normal changes will follow the emergency change process and must be reviewed and approved by two members of the OIT leadership team.
5. Separation of Duties
The University will maintain a separation of duties and responsibilities. This will be enforced by user and groups rights management within the given enterprise system. Group rights will be reviewed by managers every 60 days.
6. Best Practices
Managers of University IT resources must seek and adopt, whenever possible, Best Practices with regards to change management. The CTC will review and adopt appropriate standards and procedures that represent Best Practices for calendaring, documenting, and testing normal changes.
The OIT Executive Director of Development & Business Intelligence Reporting Services is responsible for administering this policy, including its maintenance and compliance. CTC will consist of representatives across OIT, and Campus Departments will review this policy and supporting documents and make recommendations to the OIT Executive Director of Development & Business Intelligence Reporting Services regarding additions, deletions, and/or modifications.
8. Exceptions to Policy
A request for exception, along with a plan for risk assessment and management, can be submitted for review by the OIT Executive Director of Development & Business Intelligence Reporting Services by completing a Self-Service Support Request. Non-compliance with these standards may result in revocation of access, notification to the supervisor, and reporting to the individual’s manager, Human Resource Services, Internal Audit and Advisory Services, and/or Institutional Compliance and Ethics.
Failure to comply with this policy may result in the suspension of the individual’s access to network resources until policy standards have been met.
10. Related Information
Change Management Procedures
Self-Service Support Request