Procedure P4-004E: Change Management

Purpose and Scope‌

1. Purpose.

   The purpose of this Change Management Procedure is to outline the Change management process for the University’s Information Systems.

2. Scope.

   The scope of this procedure is all University administrative, units, including colleges, divisions, departments, and centers, and all members of the University community, including students, staff, faculty, other permanent or temporary employees, contractors, research collaborators, vendors, and third-party agents.

   This procedure supports Section E, titled Change Management, of the University of Utah Information Security Policy 4-004.

‌Definitions‌

The definitions provided in Policy 4-004 apply for this procedure. In addition, the terms below apply for the limited purpose of this procedure.

1. Change Advisory Board (CAB) – A formally constituted group of stakeholders responsible for providing oversight and guidance to support IT managers, IT Technicians, and Users managing Information Systems. The CAB serves as a decision-making body responsible for evaluating and endorsing Changes.

‌Procedure‌

1. Executive University Information Technology (UIT)/Information Technology Services (ITS) leadership shall establish a Change Advisory Board (CAB) that includes relevant stakeholders to ensure collaborative decision-making and to prevent reliance on a single individual to authorize Changes to University-wide Information Systems.

2. The CAB shall:

   1. review and approve Changes for feasibility, relevance, and potential organizational impact;

   2. in coordination with IT managers and IT Technicians, assess the potential impacts Changes may have to the confidentiality, integrity, and availability of involved Information Systems;

   3. coordinate Change activities with IT managers and IT Technicians; and

   4. conduct a post-Change review to identify lessons learned and areas for organizational improvement.

3. IT managers shall:

   1. ensure compliance with the applicable federal, state, and local laws, regulations, and statutes, as well as contractual obligations for the Information Systems for which they are responsible;

   2. in cooperation with applicable stakeholders, capture business requirements for Changes;

   3. submit Change requests to the CAB for University-wide Information Systems;

   4. document and coordinate Change activities with the CAB and IT Technicians;

   5. communicate Change details to relevant stakeholders; and

   6. establish a Change review process for local Information Systems. In the absence of an IT manager, the department head is accountable for meeting this requirement.

4. IT Technicians shall:

   1. create a Change plan that includes, at a minimum, required personnel, required Information Systems, Change details, the Change timeline, a means of testing the plan, and rollback processes;

      1. Change plan tests may not be conducted in production environments.

   2. coordinate Change activities with relevant stakeholders and IT managers;

   3. implement approved Changes; and

   4. validate and monitor Changes after implementation.

      ---

      Sections IV- VII are for user information about this procedure.

‌Policies/ Rules, Procedures, Guidelines, Forms and other Related Resources‌

1. 1. Policies/ Rules.

      1. Policy 4-004: University Information Security Policy

   2. Procedures, Guidelines, and Forms. [ reserved ]

   3. Other Related Resources. [ reserved ]

‌References‌

1. [ reserved ]

‌Contacts‌

The designated contact officials for this Regulation are

1. 1. Policy Owner(s) (primary contact person for questions and advice): Chief Information Security Officer

   2. Policy Officer(s): Chief Information Officer

      See Rule 1-001 for information about the roles and authority of policy owners and policy officers.

‌History‌

Revision History.

1. Current version. Revision 0.

   1. Approved by Chief Information Security Officer with effective date of November 6, 2024.

2. Renumbering

   1. Not applicable