Link to home
Start Free TrialLog in
Avatar of Techrunner
Techrunner

asked on

Change Management Policy

Hello,
I'm a Network Engineer in a healthcare organization, managing and maintaining Network Switches, Routers and Firewalls.
I've been tasked by Auditing to develop a change management policy including emergency change.
Hence, can someone help me to formulate this policy.

Thanks
Avatar of bbao
bbao
Flag of Australia image

you would need to develop something like below but specifically for your scenario and the network infrastructure of your organisation.

https://www.mq.edu.au/about_us/offices_and_units/information_technology/policies/it_change_management/

http://is.oregonstate.edu/files/projects/change-management-policy.pdf
Avatar of Techrunner
Techrunner

ASKER

I was wondering what changes should be included in the policy, mostly we have daily changes and how they should be treated in the policy.
Impact width and depth are important criteria for scheduling windows, assigning work, sending notices, and requiting approvals.

WIDTH
Single user
Multiple users
Single department
Multiple departments
Single site
Multiple sites
Enterprise-wide


DEPTH
Service request
Workaround available
Partially impaired
Work stoppage
Security/safety risk


Create two grids with these as axes.  One grid is for criticality.  One grid is for approvals.

Each cell should have an appropriate ranking, keeping in mind that yhe ranks shouldn't go backwards at any point.  The level can remain the same, or escalate.

That's a basuc starting point.  Let us kniw if you want examples filling in the grid.

It's a commoj thing in ticketing systems.  Do you have a support system with these capabilities?  The workflow can be semi-automated based on how you construct your severity rankings and approval requirements.
Most of your daily changes are probably port changes, web filter requests, permission changes, group membership...mostly service requests.

You shoukd have an internal policy on how Tier 1 support can proceed, or what level of approval (and type, like email v. signature v. electronic approval form).

For instance, I have some leeway for web content filter changes.  Also decision-making for access requests based on job duties and resources requested.

For things like VPN tunnel edits, you need approvals and notices, despite that it is a service request to begin with.  The breadth is usually multiple departments or enterprise-wide.
Thanks aleghart for the detailed information.

Yes we do have daily changes like web filter requests, permission changes, ACL exceptions on Routers and Switches, Port changes, creating users and emails etc.

For VPNs we have approvals through forms.

I'm not sure how to give start with a policy?
BTW, we are using Manage Engine Service Desk for ticketing system
No matter what ticketing system you use, you still have to put the policies on paper first.

Using the grid exercise either by yourself or in a group meeting would be a good start.

Once you define approvals, assignment priority , and notifications, you can make it more detailed for your environment.

Since the approvals workflow is fairly complicated, you might have to bring an experienced person on to help with designing the flows, approvals, and escalations.  The software mfr or 3rd-party trainer are better since they have detailed (real-world) knowledge than a reseller or general consultant.

What does your grid look like?  Some organizations try to go incredibly granular.  Others will use fewer rows and columns to simplify the response of the support team.
You should know that Change Management:
  • managing IT changes for the organization
  • Defined and documented process for change management must
  • It should involve all levels of the organization that are impacted
  • BC and DR plans must be aligned with Change Management
  • Change management is preventive control
  • Patch management can be viewed as part of change management
  • The primary purpose of change management = To allow management to review all changes.
  • A change management process developed in the Design phase
  • All emergency changes should still undergo the formal change management process after the fact
I will really appreciate if anyone can share a policy for reference only similar to above points

Thanks
ASKER CERTIFIED SOLUTION
Avatar of madunix
madunix

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
All change policies should include a risk assessment, reviewed and approved by someone other than the author/requester.
MadUnix has been very comprehensive!
I will be very thankful if you guys can share any change management policy.
What sort of changes should reflect on policy ?
Hi Madunix
Appreciating your effort and time in this thread, detailed guidance.
Basically we have some daily basis and occassional changes. Daily basis changes includes such
Creating AD Users, Email Mailboxes
Granting Web Access
Changing VLAN membership for the ports
Changing permissions on folders.
Daily IT Operational such relocating PCs, reformatting etc.

Occassional Changes includes
Changes on Windows Servers
Adding Server and VM
Adding Router and Switches
Upgrading Network Devices
Patching Windows
Firewall Changes
Switches Changes like creating VLAN

How those changes should be dealt and documented those changes in policy ? Is it require to go change process for daily changes ?
As you know,  most relevant policies where CISO's should look at are:
1  Acceptable use policy
2  Privacy policy
3  Password management policy
4  Disposal and destruction policy
5  Storage and retention policy
6  Incident response policy
7  Data classification policy
8  HR policy
9  Change Management policy
10 Firewall policy
11 Third Party Access Policy

Regarding Change Management policy; you will find some template at:
http://csrc.nist.gov/publications/PubsSPs.html
https://www.auckland.ac.nz/en/about/the-university/how-university-works/policy-and-administration/computing/security/it-security-management-plan-template.html
http://www.itgovernance.eu/
https://www.bsi.bund.de/DE/Themen/ITGrundschutz/itgrundschutz_node.html
https://www.cisecurity.org/critical-controls/
https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory
https://www.scribd.com/

Notice, Change Management A change management review ensures that changes are
implemented in accordance with the organization’s change management policy. This
often includes a review of outages to determine the cause. Outages that result from
unauthorized changes are a clear indication that the change management program needs improvement. "as per CISSP 7edition sybex"
Thank you madunix for the useful links
From the above list I have been tasked to most of the policies I've completed Firewall Policy, the next Change Management Policy.
Basically what kind of changes should be documented and followed by the policy ?
Is it require to follow same chain for daily requests for IT resources.

Thanks
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
thanks madunix for your valuable reply....now that will be good start to write the policy
I was just confused when the change management policy come in use.

Does the policy should be used for the following changes like
Adding new server in the existing network either physical or VM ?
Adding new switch
Adding new vlan
Adding new remote site
VPN requests either remote access or site to site

many thanks once again in advance
A new VM is a service request, unless you are changing topology, firewall, or adding resources beyond just firing up a VM.

The rest have potential impact.

Even something as small as a role account password change is a change.  Unlike a single user's password, something like an Active Directory account used by a service (or an unknown number of services) could take down an authentication system, web content filters, software deployment systems, etc.
Hi algehart
So daily changes can be categorized as standard change which are pre approved
For example web request, change vlan memebership of ports, modifying ACL on router and switches

Normal changes should go through change management process such creating new firewall rule, adding new server or vm, adding a switch etc

Please correct me if I am wrong
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Ohh..that would be nasty.
We have Manage Engine Service Desk, but we haven't deployed yet the Change Management module.

Daily, if not daily then alernative days we have a request to change switchport vlan, going through a process would be complicated.
For example if I am network admin, I need to change switchports, add vlans, or modify ACL, so I have to be change requester and approver for this request.

Also we have web requests or create email or user accounts, also we need change process ?

Thanks for bearing with me
Also can you please advise what is the difference between normal and standard change, examples will be like piece of cake.
Thanks
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks for the valuable points

What will be the difference between Problem, Incident and Change Management

Should the incident and problem be included in Change Management Policy

Thanks
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I wrote up the document with some points can I share here so you advise and add some suggestions?
Scrub it first.  This page would be open to anyone on the internet.  No company/personnel info, etc.
Thanks. Much appreciated.
Please see the attached.
CMP.docx
Hi algehart
Have you got chance to review my document?
I know my document might be quite few things
You may add up the points

Many thanks for your help.much appreciated
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Hi there,
Thanks for the detailed information
I request to go through my previous attached policy, can you please review and add some points, I will really appreciate.

Thanks
Hi Madunix and Aleghart

Thank for bearing with me as I'm new to this kind of documentation but I'm sure with your help guys I can write my own document

Let me just put straightforward so i will not waste your time guys

- Our management consists of CIO and IT Network Unit Director
I'm a network administrator reporting to Network Unit Director
So in my case who will be CAB members?

Change Manager will be Network Unit Director

We don't make any CAB meetings

- What is a change log and documentation in the sense ? If someone ask me all the changes should be logged and recorded? How this can be managed

-
Hi Experts
Any further help please ?
Your change requests must be logged into a support desk system, so that a request is associated with a reference number and reports can be generated for appropriate entities; for example, by department, by user, by time taken to complete a request.

The system can be a home built database, if you're short of budget, but there are many commercial products around that will work for you. Don't forget, they can be used for multiple areas once installed, not just IT
Sir,
We have Manage Engine Service Desk with Change Management Module.
The requester will fill the online and submit the request, then change requests will follow the workflow as described in our policy.
Actually I have submitted few classifications of requests, if you can have a look.

I've created the policy if I can share with you privately to have a look and advice with your valuable suggestions.

https://www.experts-exchange.com/questions/28951438/Change-Management-Policy-and-Control-Process.html