Techrunner
asked on
Change Management Policy
Hello,
I'm a Network Engineer in a healthcare organization, managing and maintaining Network Switches, Routers and Firewalls.
I've been tasked by Auditing to develop a change management policy including emergency change.
Hence, can someone help me to formulate this policy.
Thanks
I'm a Network Engineer in a healthcare organization, managing and maintaining Network Switches, Routers and Firewalls.
I've been tasked by Auditing to develop a change management policy including emergency change.
Hence, can someone help me to formulate this policy.
Thanks
ASKER
I was wondering what changes should be included in the policy, mostly we have daily changes and how they should be treated in the policy.
Impact width and depth are important criteria for scheduling windows, assigning work, sending notices, and requiting approvals.
WIDTH
Single user
Multiple users
Single department
Multiple departments
Single site
Multiple sites
Enterprise-wide
DEPTH
Service request
Workaround available
Partially impaired
Work stoppage
Security/safety risk
Create two grids with these as axes. One grid is for criticality. One grid is for approvals.
Each cell should have an appropriate ranking, keeping in mind that yhe ranks shouldn't go backwards at any point. The level can remain the same, or escalate.
That's a basuc starting point. Let us kniw if you want examples filling in the grid.
It's a commoj thing in ticketing systems. Do you have a support system with these capabilities? The workflow can be semi-automated based on how you construct your severity rankings and approval requirements.
WIDTH
Single user
Multiple users
Single department
Multiple departments
Single site
Multiple sites
Enterprise-wide
DEPTH
Service request
Workaround available
Partially impaired
Work stoppage
Security/safety risk
Create two grids with these as axes. One grid is for criticality. One grid is for approvals.
Each cell should have an appropriate ranking, keeping in mind that yhe ranks shouldn't go backwards at any point. The level can remain the same, or escalate.
That's a basuc starting point. Let us kniw if you want examples filling in the grid.
It's a commoj thing in ticketing systems. Do you have a support system with these capabilities? The workflow can be semi-automated based on how you construct your severity rankings and approval requirements.
Most of your daily changes are probably port changes, web filter requests, permission changes, group membership...mostly service requests.
You shoukd have an internal policy on how Tier 1 support can proceed, or what level of approval (and type, like email v. signature v. electronic approval form).
For instance, I have some leeway for web content filter changes. Also decision-making for access requests based on job duties and resources requested.
For things like VPN tunnel edits, you need approvals and notices, despite that it is a service request to begin with. The breadth is usually multiple departments or enterprise-wide.
You shoukd have an internal policy on how Tier 1 support can proceed, or what level of approval (and type, like email v. signature v. electronic approval form).
For instance, I have some leeway for web content filter changes. Also decision-making for access requests based on job duties and resources requested.
For things like VPN tunnel edits, you need approvals and notices, despite that it is a service request to begin with. The breadth is usually multiple departments or enterprise-wide.
ASKER
Thanks aleghart for the detailed information.
Yes we do have daily changes like web filter requests, permission changes, ACL exceptions on Routers and Switches, Port changes, creating users and emails etc.
For VPNs we have approvals through forms.
I'm not sure how to give start with a policy?
Yes we do have daily changes like web filter requests, permission changes, ACL exceptions on Routers and Switches, Port changes, creating users and emails etc.
For VPNs we have approvals through forms.
I'm not sure how to give start with a policy?
ASKER
BTW, we are using Manage Engine Service Desk for ticketing system
No matter what ticketing system you use, you still have to put the policies on paper first.
Using the grid exercise either by yourself or in a group meeting would be a good start.
Once you define approvals, assignment priority , and notifications, you can make it more detailed for your environment.
Since the approvals workflow is fairly complicated, you might have to bring an experienced person on to help with designing the flows, approvals, and escalations. The software mfr or 3rd-party trainer are better since they have detailed (real-world) knowledge than a reseller or general consultant.
What does your grid look like? Some organizations try to go incredibly granular. Others will use fewer rows and columns to simplify the response of the support team.
Using the grid exercise either by yourself or in a group meeting would be a good start.
Once you define approvals, assignment priority , and notifications, you can make it more detailed for your environment.
Since the approvals workflow is fairly complicated, you might have to bring an experienced person on to help with designing the flows, approvals, and escalations. The software mfr or 3rd-party trainer are better since they have detailed (real-world) knowledge than a reseller or general consultant.
What does your grid look like? Some organizations try to go incredibly granular. Others will use fewer rows and columns to simplify the response of the support team.
You should know that Change Management:
- managing IT changes for the organization
- Defined and documented process for change management must
- It should involve all levels of the organization that are impacted
- BC and DR plans must be aligned with Change Management
- Change management is preventive control
- Patch management can be viewed as part of change management
- The primary purpose of change management = To allow management to review all changes.
- A change management process developed in the Design phase
- All emergency changes should still undergo the formal change management process after the fact
ASKER
I will really appreciate if anyone can share a policy for reference only similar to above points
Thanks
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
All change policies should include a risk assessment, reviewed and approved by someone other than the author/requester.
MadUnix has been very comprehensive!
MadUnix has been very comprehensive!
ASKER
I will be very thankful if you guys can share any change management policy.
What sort of changes should reflect on policy ?
What sort of changes should reflect on policy ?
ASKER
Hi Madunix
Appreciating your effort and time in this thread, detailed guidance.
Basically we have some daily basis and occassional changes. Daily basis changes includes such
Creating AD Users, Email Mailboxes
Granting Web Access
Changing VLAN membership for the ports
Changing permissions on folders.
Daily IT Operational such relocating PCs, reformatting etc.
Occassional Changes includes
Changes on Windows Servers
Adding Server and VM
Adding Router and Switches
Upgrading Network Devices
Patching Windows
Firewall Changes
Switches Changes like creating VLAN
How those changes should be dealt and documented those changes in policy ? Is it require to go change process for daily changes ?
Appreciating your effort and time in this thread, detailed guidance.
Basically we have some daily basis and occassional changes. Daily basis changes includes such
Creating AD Users, Email Mailboxes
Granting Web Access
Changing VLAN membership for the ports
Changing permissions on folders.
Daily IT Operational such relocating PCs, reformatting etc.
Occassional Changes includes
Changes on Windows Servers
Adding Server and VM
Adding Router and Switches
Upgrading Network Devices
Patching Windows
Firewall Changes
Switches Changes like creating VLAN
How those changes should be dealt and documented those changes in policy ? Is it require to go change process for daily changes ?
As you know, most relevant policies where CISO's should look at are:
1 Acceptable use policy
2 Privacy policy
3 Password management policy
4 Disposal and destruction policy
5 Storage and retention policy
6 Incident response policy
7 Data classification policy
8 HR policy
9 Change Management policy
10 Firewall policy
11 Third Party Access Policy
Regarding Change Management policy; you will find some template at:
http://csrc.nist.gov/publications/PubsSPs.html
https://www.auckland.ac.nz/en/about/the-university/how-university-works/policy-and-administration/computing/security/it-security-management-plan-template.html
http://www.itgovernance.eu/
https://www.bsi.bund.de/DE/Themen/ITGrundschutz/itgrundschutz_node.html
https://www.cisecurity.org/critical-controls/
https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory
https://www.scribd.com/
Notice, Change Management A change management review ensures that changes are
implemented in accordance with the organization’s change management policy. This
often includes a review of outages to determine the cause. Outages that result from
unauthorized changes are a clear indication that the change management program needs improvement. "as per CISSP 7edition sybex"
1 Acceptable use policy
2 Privacy policy
3 Password management policy
4 Disposal and destruction policy
5 Storage and retention policy
6 Incident response policy
7 Data classification policy
8 HR policy
9 Change Management policy
10 Firewall policy
11 Third Party Access Policy
Regarding Change Management policy; you will find some template at:
http://csrc.nist.gov/publications/PubsSPs.html
https://www.auckland.ac.nz/en/about/the-university/how-university-works/policy-and-administration/computing/security/it-security-management-plan-template.html
http://www.itgovernance.eu/
https://www.bsi.bund.de/DE/Themen/ITGrundschutz/itgrundschutz_node.html
https://www.cisecurity.org/critical-controls/
https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory
https://www.scribd.com/
Notice, Change Management A change management review ensures that changes are
implemented in accordance with the organization’s change management policy. This
often includes a review of outages to determine the cause. Outages that result from
unauthorized changes are a clear indication that the change management program needs improvement. "as per CISSP 7edition sybex"
ASKER
Thank you madunix for the useful links
From the above list I have been tasked to most of the policies I've completed Firewall Policy, the next Change Management Policy.
Basically what kind of changes should be documented and followed by the policy ?
Is it require to follow same chain for daily requests for IT resources.
Thanks
From the above list I have been tasked to most of the policies I've completed Firewall Policy, the next Change Management Policy.
Basically what kind of changes should be documented and followed by the policy ?
Is it require to follow same chain for daily requests for IT resources.
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks madunix for your valuable reply....now that will be good start to write the policy
I was just confused when the change management policy come in use.
Does the policy should be used for the following changes like
Adding new server in the existing network either physical or VM ?
Adding new switch
Adding new vlan
Adding new remote site
VPN requests either remote access or site to site
many thanks once again in advance
I was just confused when the change management policy come in use.
Does the policy should be used for the following changes like
Adding new server in the existing network either physical or VM ?
Adding new switch
Adding new vlan
Adding new remote site
VPN requests either remote access or site to site
many thanks once again in advance
A new VM is a service request, unless you are changing topology, firewall, or adding resources beyond just firing up a VM.
The rest have potential impact.
Even something as small as a role account password change is a change. Unlike a single user's password, something like an Active Directory account used by a service (or an unknown number of services) could take down an authentication system, web content filters, software deployment systems, etc.
The rest have potential impact.
Even something as small as a role account password change is a change. Unlike a single user's password, something like an Active Directory account used by a service (or an unknown number of services) could take down an authentication system, web content filters, software deployment systems, etc.
ASKER
Hi algehart
So daily changes can be categorized as standard change which are pre approved
For example web request, change vlan memebership of ports, modifying ACL on router and switches
Normal changes should go through change management process such creating new firewall rule, adding new server or vm, adding a switch etc
Please correct me if I am wrong
So daily changes can be categorized as standard change which are pre approved
For example web request, change vlan memebership of ports, modifying ACL on router and switches
Normal changes should go through change management process such creating new firewall rule, adding new server or vm, adding a switch etc
Please correct me if I am wrong
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ohh..that would be nasty.
We have Manage Engine Service Desk, but we haven't deployed yet the Change Management module.
Daily, if not daily then alernative days we have a request to change switchport vlan, going through a process would be complicated.
For example if I am network admin, I need to change switchports, add vlans, or modify ACL, so I have to be change requester and approver for this request.
Also we have web requests or create email or user accounts, also we need change process ?
Thanks for bearing with me
We have Manage Engine Service Desk, but we haven't deployed yet the Change Management module.
Daily, if not daily then alernative days we have a request to change switchport vlan, going through a process would be complicated.
For example if I am network admin, I need to change switchports, add vlans, or modify ACL, so I have to be change requester and approver for this request.
Also we have web requests or create email or user accounts, also we need change process ?
Thanks for bearing with me
ASKER
Also can you please advise what is the difference between normal and standard change, examples will be like piece of cake.
Thanks
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the valuable points
What will be the difference between Problem, Incident and Change Management
Should the incident and problem be included in Change Management Policy
Thanks
What will be the difference between Problem, Incident and Change Management
Should the incident and problem be included in Change Management Policy
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I wrote up the document with some points can I share here so you advise and add some suggestions?
Scrub it first. This page would be open to anyone on the internet. No company/personnel info, etc.
ASKER
ASKER
Hi algehart
Have you got chance to review my document?
I know my document might be quite few things
You may add up the points
Many thanks for your help.much appreciated
Have you got chance to review my document?
I know my document might be quite few things
You may add up the points
Many thanks for your help.much appreciated
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi there,
Thanks for the detailed information
I request to go through my previous attached policy, can you please review and add some points, I will really appreciate.
Thanks
Thanks for the detailed information
I request to go through my previous attached policy, can you please review and add some points, I will really appreciate.
Thanks
ASKER
Hi Madunix and Aleghart
Thank for bearing with me as I'm new to this kind of documentation but I'm sure with your help guys I can write my own document
Let me just put straightforward so i will not waste your time guys
- Our management consists of CIO and IT Network Unit Director
I'm a network administrator reporting to Network Unit Director
So in my case who will be CAB members?
Change Manager will be Network Unit Director
We don't make any CAB meetings
- What is a change log and documentation in the sense ? If someone ask me all the changes should be logged and recorded? How this can be managed
-
Thank for bearing with me as I'm new to this kind of documentation but I'm sure with your help guys I can write my own document
Let me just put straightforward so i will not waste your time guys
- Our management consists of CIO and IT Network Unit Director
I'm a network administrator reporting to Network Unit Director
So in my case who will be CAB members?
Change Manager will be Network Unit Director
We don't make any CAB meetings
- What is a change log and documentation in the sense ? If someone ask me all the changes should be logged and recorded? How this can be managed
-
ASKER
Hi Experts
Any further help please ?
Any further help please ?
Your change requests must be logged into a support desk system, so that a request is associated with a reference number and reports can be generated for appropriate entities; for example, by department, by user, by time taken to complete a request.
The system can be a home built database, if you're short of budget, but there are many commercial products around that will work for you. Don't forget, they can be used for multiple areas once installed, not just IT
The system can be a home built database, if you're short of budget, but there are many commercial products around that will work for you. Don't forget, they can be used for multiple areas once installed, not just IT
ASKER
Sir,
We have Manage Engine Service Desk with Change Management Module.
The requester will fill the online and submit the request, then change requests will follow the workflow as described in our policy.
Actually I have submitted few classifications of requests, if you can have a look.
I've created the policy if I can share with you privately to have a look and advice with your valuable suggestions.
https://www.experts-exchange.com/questions/28951438/Change-Management-Policy-and-Control-Process.html
We have Manage Engine Service Desk with Change Management Module.
The requester will fill the online and submit the request, then change requests will follow the workflow as described in our policy.
Actually I have submitted few classifications of requests, if you can have a look.
I've created the policy if I can share with you privately to have a look and advice with your valuable suggestions.
https://www.experts-exchange.com/questions/28951438/Change-Management-Policy-and-Control-Process.html
https://www.mq.edu.au/about_us/offices_and_units/information_technology/policies/it_change_management/
http://is.oregonstate.edu/files/projects/change-management-policy.pdf