ICT infrastructure change management guideline
QGEA
ICT infrastructure change management guideline
September 2010
v1.0.0
PUBLIC
Document details
|
|||||||
Security classification |
PUBLIC |
||||||
Date of review of security classification |
September 2010 |
||||||
Authority |
Queensland Government Chief Information Officer |
||||||
Author |
Queensland Government Chief Technology Office |
||||||
Documentation status |
|
Working draft |
|
Consultation release |
|
Final version |
All enquiries regarding this document should be directed in the first instance to:
Director,
Technology Architecture and Strategy
Queensland Government Chief
Technology Office
[email protected]
This version of the Queensland Government Enterprise Architecture (QGEA) ICT infrastructure change management guideline was developed and updated by the Network and Security Architecture Team, Queensland Government Chief Technology Office (QGCTO).
Feedback was also received from a number of agencies, which was greatly appreciated.
ICT infrastructure change management guideline
Copyright © The State of Queensland (Department of Public Works) 2010
Licence
ICT infrastructure change management guideline by the QGCTO is licensed under a Creative Commons Attribution 2.5 Australia Licence.
To attribute this material, cite the Queensland Department of Public Works.
This document has been security classified using the Queensland Government Information Security Classification Framework (QGISCF) as PUBLIC and will be managed according to the requirements of the QGISCF.
3.1 Roles and responsibilities 6
3.2 Change management procedures 6
3.3 Assessment, prioritisation and authorisation 6
A Queensland Government Enterprise Architecture (QGEA) guideline provides information for Queensland Government agencies on the recommended practices for a given topic area. Guidelines are generally for information only and agencies are not required to comply. They are intended to help agencies understand the appropriate approach to addressing a particular issue or doing a particular task.
This guideline specifies the Queensland Government’s recommended approach to change management.
This document is primarily intended for:
agency staff responsible for implementing changes
agency staff responsible for approving changes
agency staff responsible for maintaining change management documentation.
The discipline of change management should be applied consistently across all domains of the QGEA. This guideline relates specifically to ICT hardware and software assets, including the supporting processes and documentation.
The Queensland Government expects that all changes to ICT hardware and software assets, including the introduction of new or replacement technologies, are traceable to business decisions and requirements, and approved by all stakeholders prior to implementation. This standardised approach is designed to ensure that all changes are reviewed and approved in a consistent and co-ordinated manner.
Effective change management will reduce both the frequency and severity of adverse information security and ICT incidents by:
reducing uncontrolled and unapproved changes to ICT infrastructure and processes
improving the governance of ICT infrastructure and processes
ensuring that each agency assesses the potential impact of all changes to, or the introduction of, ICT infrastructure and processes prior to deployment into production environments.
All ICT infrastructure used within an agency either has a well-defined or implied life cycle associated with the intended use. In addition, there are supporting processes associated with managing this environment.
This life cycle covers the introduction of an ICT asset to an agency’s infrastructure, and has associated management activities, including modifications, patches, updates and disposal or retirement. Each stage of the asset life cycle needs to be fully understood by the asset owner and those personnel tasked with managing the asset.
Change management is a process that should clearly identify, support and incorporate the following roles and associated responsibilities:
requestors – the people, or regular process, making the change request
Change Advisory Board – a group of people authorised to approve change requests
stakeholders – anyone who has a business interest in the outcome of the change request.
Formal change management procedures should be established to control, in a standardised manner, all changes to ICT infrastructure, as well as supporting procedures, processes, and configuration parameters. This ensures that:
changes are managed through a standardised approach that ensures consistency and repeatability
changes are formally reviewed and approved in a consistent and coordinated manner
expectations between all stakeholders are clearly defined and managed.
All change requests should be individually assessed using a risk management approach in order to determine the impact on ICT infrastructure, procedures, processes, service delivery and available resources. This ensures that change requests are:
assessed for impact on people, process and technology
prioritised according to resources, service level agreements and service availability
dependent upon the impact severity, authorised by the Change Advisory Board after consultation with, and approval by, key stakeholders.
Emergency change requests, outside formal change management procedure, allow agencies to be flexible and agile in response to various threats. Emergency change requests should be:
correctly identified and consistently managed through a standardised approach
formally reviewed and analysed after the change has been implemented to ensure compliance with the formal change management procedure.
The status of all changes, whether completed, in-progress, reverted or rejected should be tracked and reported in order to communicate the progress to all stakeholders. Recording and reporting the current status ensures that all outcomes are traceable and that decisions makers are accountable.
The status of a change request may be one of the following with respect to the original change management request:
completed – where a change has been implemented
in-progress – where a change has not yet been implemented
reverted – where a change was not successful
rejected – where a change was not approved.
Changes that have been completed, in-progress, reverted or rejected may cause associated documentation to be updated. All relevant and affected documentation should be updated as part of the change management process to ensure that the current state has been accurately recorded. This includes, but is not limited to:
policies, procedures, processes and guidelines
automation of tasks, including workflow software, programs and scripts
architectural documentation
physical and logical network diagrams.
Where possible, these documents should have the ability to be dynamically updated in order to reduce workload on staff resources and the introduction of manual errors.
Document authors: Peter Nikitser
Filename:
Change management guideline
Version |
Date |
Author |
Description |
---|---|---|---|
0.0.1 |
04/03/2010 |
QGCIO |
Changed to guideline and updated styles. |
0.0.2 |
12/04/2010 |
QGCTO |
Subsequent draft including feedback from the Information Security Reference Group. |
0.0.3 |
13/05/2010 |
QGCTO |
Subsequent draft including feedback from the Department of Community Services. |
0.0.4 |
07/07/2010 |
QGCTO |
Moved from Draft status to Final document after endorsement by the ICT Security Sub-Committee. |
0.1.0 |
31/08/2010 |
ICT Governance, Policy and Coordination Office |
Updated by Director, ICT Governance, Policy and Coordination Office. |
17 INFRASTRUCTURE REGULATION AND INVESTMENTS PETER FORSYTH DEPARTMENT OF
28975 INFRASTRUCTURE AND DEVELOPMENT1 RÉMY PRUD’HOMME2 UNIVERSITY OF PARIS
4 IIAC PAPER NO 122002 INFORMATION INFRASTRUCTURE
Tags: change management, 145472.doc change, change, infrastructure, management, guideline