LEGISTIFY SERVICES PRIVATE LIMITED
CHANGE MANAGEMENT POLICY
Document Name: | CHANGE MANAGEMENT POLICY |
|
|
Classification: | Internal |
|
|
Document Owner: | CISO/MR- |
|
|
Document Approver: | Top Management |
|
|
Original Document Issue Date: | 10/09/2023 |
|
|
Current Edition: | Version 2.0 |
|
|
Revision History: |
|
|
|
S. No. | Description of Change | Date of Change | Version No. |
1 | Initial Release | 10/09/2023 | 1.0 |
2 | Second Release | 10/09/2024 | 2.0 |
3 |
|
|
|
5 |
|
|
|
6 |
|
|
|
7 |
|
|
|
1. Overview
The purpose of this policy is to describe the responsibilities, policies, and procedures to be followed when any changes to the LEGISTIFY SERVICES PRIVATE LIMITED computer network are to be made.
The Change Control policy is designed to provide a managed and orderly method in which changes to the information technology environment are requested, tested and approved prior to installation or implementation. The purpose is not to question the rationale of a change, but to ensure that all elements are in place, there is no negative impact on the infrastructure, all the necessary parties are notified in advance and the schedule for implementation is coordinated with all other activities.
The Head of Information Technology must approve any exceptions to this policy in advance.
2. Definitions
Change: to transform, alter, or modify the operating environment or standard operating procedures that have a potential or significant impact on the stability, security and reliability of the infrastructure and impacts on the conducting of normal business operation. Plus any interruption in building environments that may also cause disruption to the network infrastructure.
Change Request: The official request for any critical change should be submitted via email to the VP of Information Technology. End users requests should be submitted via email to IT Help Desk where it can be routed to the appropriate member of the IT Department for review.
3. Scope
All employees, contractors, consultants, temporary and other workers at GREENYANA ENERGY PRIVATE LIMITED, including all personnel affiliated with third parties that may have access to network computer systems on behalf of LEGISTIFY SERVICES PRIVATE LIMITED must adhere to this policy.
Types of Changes
LEGISTIFY SERVICES PRIVATE LIMITEDhas divided the changes in four categories (Critical, High, Medium, and Low) which will have varied turnaround time depending upon the severity of change.
4. Definition of changes
Critical (P0): All emergencies and any unforeseen events to be categorised into critical changes which are not known in advance. Impact is high but probability is low.
High (p1): Firewall access changes, changes in software program codes, new changes in regulatory environment will be categorise into Critical changes. Impact is high but probability is low.
Medium (P2): Acquisition of new hardware/ software, Hardware and software upgrades. Impact is medium and probability is medium.
Low (P3): User Requests, Hardware and software changes, scheduled periodic maintenance. Impact is low but probability is high.
5. Change Management Process
Change Management provides a process to apply changes, upgrades, or modifications to the environment. This covers any and all changes to hardware, software or applications. It also includes modifications, additions or changes to the LAN/WAN, Network or Server hardware and software, or any other environmental components. The policy is in place to ensure that any change that affects one or all of the environments that Organization relies on to conduct normal business operations are protected.
Changes to the environment arise from many circumstances, such as:
User requests
Hardware and/or software upgrades
Acquisition of new hardware and/or software
Environmental changes
Business Operational schedule changes
Unforeseen events
Scheduled Periodic Maintenance
The above list is not all-inclusive. Therefore any questions on whether a change can be made should be directed to the ISMS Manager.
Process
Change Management would typically comprise the raising and recording of changes, assessing the impact, cost, benefit and risk of proposed changes, developing business justification and obtaining approval, managing and coordinating change implementation, monitoring and reporting on implementation, reviewing and closing request for change.
Change management is responsible for managing change process involving:
Hardware
Software
Request for Change
Change requirement may arise reactively in response to problems or externally imposed requirements, e.g. business requirements, outcome of capacity management, legislative changes.
proactively from seeking imposed efficiency and effectiveness or to enable or reflect business initiatives, or from programmes, projects or service improvement initiatives.
Request for change is made by the asset owner (e.g. owner of the domain, server, network, etc).
Change is requested by filling up Change Requisition Form [CR] and need to be submitted to IT or creating an IT Incident Ticket and submitting on the Portal;
ISMS Manager is the change Approver for any hardware or software change request.
Initial Approval
Change Requisition Form [CR]provides the facility of getting approval from multiple authorities;
As there are multiple approvers {i.e. respective departmental head, Manager – IT so CR or IT Incident Ticket must be approved by Manager IT for Hardware and Software changes.
Upon receiving of CR, approver may select the option for approving the change or to disapprove it and also need to justify his decision;
Manager IT need to assess the risks associated with the changes before approving the Change request.
Disapproval of Change Request
If change is disapproved by any of the approver; then requestor has to discuss the issue with approver and have to raise the new CR if required.
Approval of Change Request of Hardware and/or Software
Once approved, change coordinator will prepare a change plan in Change Management Form [CM]. Change plan consists of following:
Deployment Plan;
Impact on current IT Infrastructure:
Hardware
Software
Risk(s) associated with change;
Risk(s) Treatment plan (This can be done by filling Risk Assessment & Treatment Plan Form;
Back-Up Plan (Prior to change being made);
Testing Plan;
Roll-Back Plan;
Other Vendor or Customer Resource Requirement;
Approx. Cost associated with Change.
After preparing the complete change plan by filling Change Management Form [CM], change coordinator will propose the same plan to IT Manager for his final approval;
Approver being a final approval authority may approve or disapprove the change request after assessing the business need.
6. Emergencies
Emergencies exist only as a result of:
An office is completely out of service,
There is a sever degradation of service needing immediate action,
A system/application/component is inoperable and the failure causes a negative impact
A response to an emergency business need.
7. Scheduled or Planned Maintenance
Prior the commencement of any planned or scheduled maintenance, the “Scheduled Maintenance Change Form” must be completed and signed off by a supervising member of the IT Department. A copy of the completed form shall be kept under a new document name and number in under document type “IT Documents” for future reference.
8. Firewall Access Changes
A firewall change is defined as access to a specific system that by-passes the protection of one of the firm’s firewalls. Prior to any changes to the firewalls being made; the “Change Request Form” must be completed. The completed form shall be kept under a new document name and number in shared folder under document type “IT Documentation” for future reference. Any changes made to the firewalls must be recorded in the Change Log immediately upon completion of the modifications.
Changes to the firewalls will only approved when there is a demonstrated business reason to implement the changes in access.
Documentation of Changes
A Change Log shall be kept in a publicly accessible location for the entire IT Department to view. Every member of the IT Department, who is in a position to make changes to a system or network resource, will be required to place an entry in this form to document any changes being made without exception. Other members of the IT department are encouraged to review the log from time to time to keep abreast of the changes going on in the computer network.
Turnaround Time
Sl. No. | Change Category | TAT | Mode of Request | Form to be added |
1 | Critical P0 | Within 2 (4) hours | Verbal followed by Mail | Change Request Form (to be mandatorily attached while sending mail |
2 | High P1 | Within 12 (24) hours. Development May take more time. | Verbal followed by Mail | Change Request Form (to be mandatorily attached while sending mail) |
3 | Medium P2 | Within 24 (48) hours | IT helpdesk ticket | To be described in IT ticket (CRF is recommendatory) |
4 | Low P3 | Within 48 (96) hours | IT helpdesk ticket | To be described in IT ticket (CRF is recommendatory) |
Change Request Form
Change Management Form
Policy Revision History
Date | Version | Author | Reviewer | Approver | Comments |
10/09/2023 | 0.1 | ISMS Manager | CIO | LEGISTIFY SERVICES PRIVATE LIMITED Management | Draft Version of Change Management |
|
|
|
|
|
|
|
|
|
|
|
|