Policy Statement: This policy establishes controls concerning
Enterprise Software Change Management. The policy provides guidance in
decision-making and practices that optimize resources, mitigate risk, and
maximize return on investment.
Definitions:
·
Enterprise Software
Change Management: The process of controlling changes from
developed, patched, or purchased applications entering the production environment.
·
Release Notes: Instructions for
deploying the code, stored procedures, and/or reports associated with a change
to software.
·
Release
Package: A single release unit
or a structured set of release units, consisting of new, changed and/or
unchanged configuration items.
·
Testing
Environment: A non-production
environment—logically separated from the environment in which the application
was developed, and configured similarly to the production environment.
Roles:
·
COT Change Management Team: Commonwealth Office of Technology (COT) employees
that review and implement modifications made
within hosted applications and infrastructure.
·
Agency Release Team: Agency employees that plan and
control the release of software into the production environment, test, and
implement software modifications.
Policy:
This
policy establishes a framework for controlling modifications to the Commonwealth of Kentucky’s production software applications.
Because production software applications operate on IT infrastructure supported by COT, this policy is
essential to the predictability and stability of the applications, and of the infrastructure
where the applications reside.
An
agency may deploy software changes directly to the production environment if the
agency meets the following requirements:
a)
Agency shall assign
an Agency Release Team responsible for coordinating with the COT Change
Management Team.
c)
Agency shall provide
the COT Change Management Team access to and training for the software,
sufficient to support COT rollbacks, deploys, review, and audit. For any release, the default action in the event
of an issue is an immediate rollback and analysis of the appropriate lower
level system (usually UAT). This action must
be taken immediately at the discretion of the application owner or COT.
Alternatively,
an agency may contact the COT Change Management team to arrange for COT Enterprise
Software Change Management services. These
services require the Agency Release Team to coordinate with the COT Change
Management Team. Agencies requesting COT
to deploy software into the production environment shall:
a)
Create Release Notes
outlining all changes contained within the Release Package and identifying
secondary dependencies or system interactions.
b) Develop an implementation plan and installation instructions
that include a rollback strategy.
c)
Complete
successful testing of all modifications on a non-production system following
the plan and instructions.
d)
Identify the
tester that provided change approval.
e)
Request
deployment of the code.
For
new application deployments or significant changes to existing applications,
agencies shall complete a security vulnerability assessment in the Testing
Environment.
Authority: KRS 42.726 authorizes the Commonwealth Office of Technology
(COT) to develop policies and compliance processes to support and promote the
effective applications of information technology within the executive branch of
state government.
Applicability:
All executive branch agencies, and non-executive branch agencies using
COT-managed infrastructure or services, shall adhere to this policy. This includes employees, contractors,
consultants, temporaries, volunteers, and other workers within state
government.
Responsibility for Compliance:
Each agency shall ensure that staff within their organizational
authority are made aware of and comply with this policy. The agency is
responsible for enforcing it.
Unauthorized and/or neglectful actions regarding this policy may result
in disciplinary action up to and including dismissal. COT may require additional service charges
for remediation efforts due to non-compliance with this policy.
Maintenance:
COT’s Office of IT Architecture and Governance is responsible for
maintaining this policy. Organizations
may modify this policy to fulfill their responsibilities, but shall obtain
approval through an exception request. Organization
staff should refer to their internal policy, which may have additional
information or clarification.
Review Cycle:
COT will review this policy at least every two years.