@VersionVersion | 1.0 |
Owner | Head of Engineering |
Last Updated On | 12 |
Last Updated by | |
Approved by |
...
Changes to the organization, business processes, information processing facilities, production software and infrastructure, and systems that affect information security in the production environment and financial systems shall be tested, reviewed, and approved prior to before production deployment. All significant changes to in-scope systems and networks must be documented.
Change management processes shall include:
Processes for planning and testing of changes, including remediation measures
Documented managerial approval and authorization before proceeding with changes that may have a significant impact on information security, operations, or the production platform
Advance communication/warning of changes, including schedules and a description of reasonably anticipated effects, provided to all relevant internal and external stakeholders
Documentation of all emergency changes and subsequent review
A process for remediating unsuccessful changes
Change management for projects at ecoPortal shall include:
...
Identify the need for change: In a project, a change may arise due to various reasons, such as changes in project scope, technology, or business requirements. Identify the need for change and document the reasons for it.
...
Change request submission: A change request should be submitted by the project team or stakeholders. The change request should include details such as the nature of the change, its impact on project objectives, potential risks, and the desired outcome.
...
Change evaluation: Evaluate the change request to assess its feasibility and impact on the project. This evaluation should consider factors like security implications, compliance requirements, resource availability, and potential conflicts with existing controls.
...
Change impact assessment: Conduct a comprehensive impact assessment to determine the potential effects of the change on information security. This assessment should include evaluating the potential risks, identifying affected assets, considering necessary control adaptations, and estimating the resources required for implementing the change.
...
Change authorization: Based on the change evaluation and impact assessment, the project's change management authority (e.g., a change control board) should review and authorize the change. This authority should include representatives from relevant stakeholders, such as IT, security, and project management.
...
Change planning: Develop a detailed plan outlining the necessary steps, resources, and timelines for implementing the change. Consider dependencies, potential disruptions, and communication requirements during the planning phase.
...
Change implementation: Execute the change according to the approved plan. Ensure that appropriate security measures are in place during the implementation process, such as monitoring for unauthorized access or data leakage.
...
Change review and testing: Once the change is implemented, conduct thorough testing and review to ensure that the desired outcomes have been achieved. Verify that security controls are functioning as intended and address any issues or deviations.
...
Change documentation and reporting: Document all aspects of the change management process, including change requests, impact assessments, authorizations, plans, implementation details, and test results. Maintain a record of changes for future reference and auditing purposes.
...
Change communication: Inform all relevant stakeholders about the change, its impact, and any necessary actions they need to take. This communication should include both the project team and any users or parties affected by the change.
...
Our Change management procedures can be found in Change Management Policy.
Capacity Management
The use of processing resources and system storage shall be monitored and adjusted to ensure that system availability and performance meets ecoPortal requirements.
...