CHANGE MANAGEMENT POLICY
Document Identification |
HSNZ/POL/06 |
|
Document Name |
Change Management Policy |
|
Master Copy |
CISO |
|
Version Number |
1.3 |
|
Date Of Release |
15 Aug 2023 |
|
Prepared By |
Eparama Tuibenau |
CISO |
Approved by |
Kevin McAfee |
Managing Director |
VERSION HISTORY
Sl No |
Version No. |
Prepared by |
Approved by |
Description of Version |
Date |
Reason for Version Change |
|
From |
To |
||||||
1 |
1.0 |
- |
CISO |
MD |
First Release |
14 Apr 2020 |
No changes made |
1 |
1.0 |
1.1 |
CISO |
MD |
Updated |
21 Jun 2021 |
Modifications due to changes in HealthSafe |
1 |
1.1 |
1.2 |
CISO |
MD |
Reviewed |
27 Jul 2022 |
Annual review |
1 |
1.2 |
1.3 |
CISO |
MD |
Reviewed |
15 Aug 2023 |
Annual review |
DOCUMENT STATUS
Date |
Document Status |
14 Apr 2020 |
Modified |
21 Jun 2021 |
Reviewed |
27 Jul 2022 |
Reviewed |
15 Aug 2023 |
Current |
Table of Contents
1 Purpose
2 Scope
3 Input
4 Output
5 Interacting Process
6 Abbreviations, Acronyms and Definitions
7 Procedure
8 Monitoring the Process
9 Records
1 PURPOSE
The purpose of this procedure is to provide a tool to implement changes to supported information technology in a way that minimises risk and impact to HealthSafe NZ.
For the purposes of this procedure, a change is defined as anything that transforms, alters, or modifies the operating environment or standard operating procedures that have potential to affect the stability and reliability of supported information technology infrastructure and affects the business process of HealthSafe NZ.
This document provides a baseline for the change management procedures for the three major change categories, Planned Major Changes; Maintenance and Minor Updates; and Emergencies and Unplanned Outages.
2 SCOPE
These procedures are applicable for the changes in IT supported systems (hardware, software, applications, and network environment) and processes upon which any functional unit of HealthSafe relies in order to perform its normal business activities. Examples of these systems include, but are not limited to: Hardware, Application Software, Database, Email, Servers, Employee’s Laptop Computer, Allocation of IP addresses, Updates to company 0800 number, Domain DNS changes and others.
3 INPUT
Change Management
4 OUTPUT
Change Approval
5 INTERACTING PROCESS
Department Head, Finance, IT & CISO
6 ABBREVIATIONS, ACRONYMS AND DEFINITIONS
Abbreviation |
Description |
Admin. |
Administration |
AE |
Administrative Executive |
TL |
Team Lead |
CISO |
Chief Information Security Officer |
7 PROCEDURE
Planned Major Changes
Examples of this type of change are:
- Change that results in business interruption during regular business hours
- Change that results in business or operational practice change
- Changes in any system that affect disaster recovery or business continuity
- Introduction or discontinuance of a new information technology or service
Change management Procedure:
- Change request items are reviewed by various team members and tabled at the quarterly planning session as a candidate to be planned into the coming quarter.
- Elements to consider before a change request is to become a candidate task for the following QPS are:
- description of the change; at least one or two sentences with supporting screenshots if required,
- a preferred date and time, that the change is scheduled to be implemented if inline with a client/project requirement
- the main contact; others should contact this person on questions/clarification, issues responsible management contact
- risk and its impact of change analysed by the TL
- roll back plan suggested by the TL
- approval remarks by the CISO or key stakeholders
- task is assigned to an individual
- implementation compliance remarks and communication are to be logged by the relevant employee in JIRA comments section with activity logs of the particular change
- CISO/CEO/GM may choose to approve or reject the change or request additional information. If the change is rejected or additional information is needed, additional information is acquired prior to the task being logged in JIRA.
- TL verifies the schedule/re-schedules for the implementation and assigns the task to the respective IT Technical staff
- Changes that impact all of HealthSafe NZ will be communicated through emails or a product showcase to the respective members or by a selected member by CISO
- The assigned IT Technical staff implements the change
- After the change is implemented, the change is submitted to a QA staff to assess the change and logged accordingly
- QA verifies the changes and sends the confirmation to the respective persons
- The completed change will be logged in JIRA with related historic logs and comments
Maintenance and Minor Updates
Examples of these types of changes are:
- Application-based security patches
- Changes on application software
- Operating system patches (critical, hot-fixes)
- Regularly scheduled maintenance changes that are not likely to cause a service outage
Emergencies and Unplanned Outages
Examples of this type of changes are:
- Lack of services in our data centre
- A severe degradation of service needing immediate action
- A system/application/component failure causing a negative impact on business operations
- A response to a natural disaster
- A response to an emergency business need
- System outage where no users can continue with business operation
Emergency and Unplanned Change Procedures:
- Emergencies are to be resolved as quickly as possible
- As soon as possible, the employee who notices the incident will report to an TL or LT or directly to the CISO
- The employee will notify the impact to the CISO if not reported directly
- The TL (in consultation with CISO) authorises for the changes and all HealthSafe NZ employees will be notified if impacted
- The TL will send an email or Slack message to every relevant internal staff about the changes and resolution
- The JIRA ticket will log the communication and serve as a record of the issue and its resolution in JIRA
- This communication should provide sufficient details, cause and resolution in JIRA
- It should also indicate whether additional steps need to be taken to minimise re-occurrence of the emergency
8 MONITORING THE PROCESS
- All the data is entered in JIRA
- Necessary request forms are approved by the concerned person
9 RECORDS
- JIRA tickets/tasks