Office of the Chief Information Officer Enterprise Policy
CIO-101: Enterprise Release Management Policy
Effective Date: 06/22/2016
Policy Statement: The purpose of this policy is
to establish a foundation for the use
of effective Release Management processes and procedures for regulating modifications to the Commonwealth of Kentucky’s production software applications.
Policy Maintenance: The Commonwealth
Office of Technology (COT), Office of Information Technology Service Management, Change Management Branch has the
responsibility for maintaining this policy.
Organizations may choose to add to this policy as appropriate, in order to
enforce more restrictive
standards. Therefore, staff members are to refer to their organization's internal
policy, which may
have additional information or clarification of this enterprise policy.
Authority: KRS 42.726 authorizes the Commonwealth Office of Technology (COT) to develop policies that
support and promote the effective application of information technology within the executive branch of state government, as well information technology directions, standards, and
necessary management processes to
assure full compliance with those policies.
Applicability: This policy is to be adhered to by
all
Executive Branch agencies
and non-Executive Branch agencies utilizing
COT
to
manage infrastructure
and services, including employees, contractors, consultants,
temporaries, volunteers and other workers within state government that install, operate, or maintain production
software. This
policy similarly applies to any agency or group utilizing the Commonwealth’s
enterprise IT infrastructure or components thereof (including networks,
hardware, software, storage or other computer systems) in the operation of its
software applications.
Responsibility for Compliance: Each Agency is responsible for assuring that appropriate staff within their
organizational authority have been made aware of the
provisions of this policy, that compliance by the staff is expected, and that unauthorized and/or neglectful actions in regard to this policy may result in disciplinary action pursuant to KRS 18A up to and including dismissal. It is each
Executive Cabinet’s responsibility to
enforce and manage the application of this policy.
Non-compliance to the policy may result in
additional shared
service charges to the
Agency
for
COT’s remediation efforts pertaining to this policy.
Review Cycle:
This policy will
be reviewed at least every two years.
Definitions:
Agency Build Team: The group
that is making and testing the software modification(s).
Agency IT Services Contact (AITSC): Staff members authorized by
each
agency to approve requests
for IT
Service modifications
(view the
Agency IT Services Contact listing).
Change Advisory Board (CAB): This board is made-up of representatives from all areas within COT,
and representatives from agency business and
IT
units who can give expert advice to the COT
Release
Management Team on the implementation of the
requested
modifications. CAB meets weekly, the role of the meeting is to
share
information, concerns, comments, etc., in
a cooperative environment, in
order to assess
impact
and advise the Change Manager of potential issues and/or disruptions of service to COT customers.
Change Manager: The Change Management process leader, referred to as the Change Manager, has oversight responsibility and authority for
all modification requests and modification procedure enforcement. The Change Manager, in combination with the CAB, has approval/rejection
rights over submitted
modification
requests.
Configuration Item: The fundamental structural
unit of an information technology solution. Examples include,
but are not limited to, requirement
documents, software, hardware, models and plans.
COT Release Management Team: The COT group that is charged with the review and implementation of
modifications being made within hosted applications and infrastructure.
Enterprise Release Management: The process utilized to control the flow
of changes into production from developed applications or those that require patching. Enterprise Release Management is an essential
function for
all organizations that
are
developing or purchasing software.
ITIL Framework: A set of practices for IT Service Management
(ITSM) that focuses on aligning IT services with the needs of business.
Release
Manager: The
Release Manager is responsible for planning and controlling the movement of
Releases to live environments. The
Release Manager’s primary objective is to ensure that the integrity of the live
environment is protected and that the correct components are released.
Release
Notes: Step-by-step
instructions to deploy the code, stored procedures, and/or reports associated
with a Release.
Release Package: A Release
Package (also referred to as a “Release”) consists of a single Release Unit or a
structured set of Release Units.
Release Unit: A Release Unit is a set of new, changed and/or unchanged Configuration Items, which are tested and introduced into the live environment together
to
implement one or several approved Changes.
Requestor: The individual who is
submitting the request for release deployment.
Security
Vulnerability Assessment: A
review conducted prior to production deployment to scan an application, to identify
and address potential security vulnerabilities that could harm the enterprise.
Testing
Environment: A non-production environment in which all
qualifying tests are executed. The
Testing Environment must be logically separated from the environment in which
the application was developed, and must be configured similarly to the
production system.
Policy:
Production software applications
are
dependent upon IT infrastructure supported by
the Commonwealth Office
of Technology (COT).
As a result of Executive Order 2012-880, Regarding the
Centralization of Information Technology
Infrastructure across the Commonwealth, the interdependency between applications and infrastructure has grown. The need
for a strong release
management policy
is essential to ensuring the predictability
and stability
of both the applications serving the
citizens and businesses of the Commonwealth, and the infrastructure on which they reside.
The purpose of this Policy
is to ensure all software application updates are reviewed and implemented in a rational
and predictable manner. As COT
seeks to implement best practices form the ITIL framework, establishing policy,
processes and procedures for managing software releases is paramount. Effective application and enforcement of these
standards is also essential to ensuring reliable delivery of services.
This policy does not detail every step required
for
promoting a change
to
production but rather the common requirements for effective management of these activities.
Agencies are responsible
for
the following
prerequisites prior to
requesting
deployment of software code to the production environment:
1.
For new
application deployments or major releases, completion of a Security
Vulnerability Assessment in the Testing Environment, with verifiable proof
thereof. A Vulnerability Assessment
Notification form (COT-F110) shall be submitted to the Commonwealth Service
Desk at least 30 days prior to deployment.
2.
Completion of successful testing of all modifications
in the Testing Environment, with verifiable proof thereof.
3. Verification of secondary
dependencies or system interactions which could be affected by deployment.
4. Creation
of release notes outlining all changes contained within the release package.
5. Development of an implementation plan and installation instructions.
6.
Verification of testing of the implementation plan and implementation instructions
on a non-production system. The test
system must be logically separated from the environment in which the
application was developed, and configured similarly to the production system.
7.
Development of a working roll-back strategy for the modifications.
Requests for
deployment shall be submitted to the Commonwealth Service Desk via email on
form COT-F052, Application Code Movement Form. The request must be submitted by or contain
approval from an Agency IT Services Contact. COT reserves the right to reject any request
that does not meet the necessary prerequisites, or is submitted in an
incomplete or improper fashion.