863.00  Information Resource Change Management 

Scope

This policy applies to Salish Kootenai College (“College”).

Purpose

This policy promotes a formal process for submitting, reviewing, approving, and closing college information resources change items. 

Definitions and Examples

College Information Resources are any device or software that transmits, controls, or stores information as defined in the Information Security Policy. This includes hardware and software that deals with college information. Examples include the Google Cloud or Jenzabar J1.

Audience

The Salish Kootenai College Information Resource Change Management Policy applies to any individual that creates, evaluates, and/or implements changes to Salish Kootenai College Information Resources.

Policy

  1. It is the policy of the College to minimize the risk associated with changes to college infrastructure, applications, systems, processes, documentation, and interfaces.

    Exceptions to this policy will be handled per the Information Security Policy. In emergency cases, actions may be taken by the Incident Response Team per the procedures in the Incident Response Plan. These actions may include rendering systems inaccessible.
    1. Submitting a Change Request
      1. Change requests are to be submitted via the approved procedure by the individual in charge of making the change. The change should only be completed once reviewed and approved according to the approved procedure. The documentation must identify the scope of the change, areas affected, back-out process, testing completed, communication plan, and planned deployment date.
    2. Reviewing and Approving a Change Request
      1. Change requests must be peer-reviewed and approved before executing the change. Exceptions to this are in the case of emergency changes necessary to maintain business continuity or operations.
    3. Closing a Change Request
      1. Once a change has been executed, the results must be confirmed and documented, or in the case of a roll-back, documentation of what went wrong must be provided.
  2. Enforcement
    All employees whose responsibilities are affected by this policy are expected to be familiar with the basic procedures and responsibilities created by this policy. Failure to comply with this policy will be subject to appropriate performance management according to all applicable policies and procedures, up to and including termination. Such performance management may also include modification of compensation, including any merit or discretionary compensation awards, as allowed by applicable law.

References

  • ISO 27002: 12.1.2
  • NIST CSF: PR.IP-3
  • Policy 862.00, Network Management Policy
  • Procedure 170.00, General Records Retention Schedule
  • Policy 860.00, Information Security Policy
  • Salish Kootenai College Incident Response Plan

History:

Adopted: 3/17/2023

Theme: Overlay by Kaira
Salish Kootenai College is accredited by the Northwest Commission on Colleges and Universities. Salish Kootenai College | PO Box 70 | 58138 US Highway 93 | Pablo, MT 59855 | 406.275.4800.