ÐÒÔË¿ìÈý

Contents:

A. Purpose
B. Scope
C. Definitions
D. Policy
E. Noncompliance
F. Exceptions
G. Contact Information
H. References

A. Purpose. This policy establishes the mechanism for verifying and approving changes to university managed technology resources. Changes to information systems are required on both a regular and emergency basis to fix issues, add new functionality, address new security and compliance requirements, and improve the user experience. Due to the complexity of modern technology systems, such changes must be carefully reviewed, performed, and vetted as, if done improperly, can cause disruptions, weaken security postures, and cause a loss of data. To address this, as well as assist in the University’s compliance requirements, this policy provides that:

• Changes are performed in a way to minimize risks to the university.
• All security and compliance requirements remain enforced consistent with U of I standards and principles of least privilege and functionality.
• All impactful changes to technology resources are tracked and approved in a timely manner.

B. Scope. This policy applies to any changes to technology resources as defined in APM 30.12 C-1, that could have a negative effect on services or data that are classified as production or high impact by the Change Advisory Board, system/data owner, or other relevant authority.

The scope of this policy does not supersede approved system security plans, laws, regulations, or contractual change management limitations or requirements.

C. Definitions

C-1. Change Advisory Board (CAB). A group that reviews, approves, and prioritizes changes, either explicitly, or through approved processes, and maintains the standards for changes.

C-2. Change Control Board (CCB). A group of one or more individuals within projects or dedicated technology that is responsible for ensuring changes adhere to standards. Examples include but are not limited to: subject matter experts, managers, or impacted teams.

C-3. Eme