CIO-101 Enterprise Release Management Policy

Office of the Chief Information Officer Enterprise Policy
CIO-101: Enterprise Release Management Policy
Effective Date: 06/22/2016
Policy Statement:  The purpose of this policy is to establish a foundation for the use of effective Release Management processes and procedures for regulating modifications to the Commonwealth of Kentuckys production software applications.

Policy Maintenance: The Commonwealth Office of Technology (COT), Office of Information Technology Service Management, Change Management Branch has the responsibility for maintaining this policy. Organizations may choose to add to this policy as appropriate, in order to enforce more restrictive standards. Therefore, staff members are to refer to their organization's internal policy, which may have additional information or clarification of this enterprise policy.

Authority:    KRS 42.726 authorizes the Commonwealth Office of Technology (COT) to develop policies that support and promote the effective application of information technology within the executive branch of state government, as well information technology directions, standards, and necessary management processes to assure full compliance with those policies.

Applicability: This policy is to be adhered to by all Executive Branch agencies and non-Executive Branch agencies utilizing COT to manage infrastructure and services, including employees, contractors, consultants, temporaries, volunteers and other workers within state government that install, operate, or maintain production software.  This policy similarly applies to any agency or group utilizing the Commonwealth’s enterprise IT infrastructure or components thereof (including networks, hardware, software, storage or other computer systems) in the operation of its software applications.  

Responsibility for Compliance:   Each Agency is responsible for assuring that appropriate staff within their organizational authority have been made aware of the provisions of this policy, that compliance by the staff is expected, and that unauthorized and/or neglectful actions in regard to this policy may result in disciplinary action pursuant to KRS 18A up to and including dismissal. It is each Executive Cabinets responsibility to enforce and manage the application of this policy.

Non-compliance to the policy may result in additional shared service charges to the Agency for COTs remediation efforts pertaining to this policy.
Review Cycle: This policy will be reviewed at least every two years.
Agency Build Team: The group that is making and testing the software modification(s).
Agency IT Services Contact (AITSC):  Staff members authorized by each agency to approve requests for IT Service modifications (view the Agency IT Services Contact listing).
Change Advisory Board (CAB):  This board is made-up of representatives from all areas within COT, and representatives from agency business and IT units who can give expert advice to the COT Release Management Team on the implementation of the requested modifications.  CAB meets weekly, the role of the meeting is to share information, concerns, comments, etc., in a cooperative environment, in order to assess impact and advise the Change Manager of potential issues and/or disruptions of service to COT customers.
Change Manager:  The Change Management process leader, referred to as the Change Manager, has oversight responsibility and authority for all modification requests and modification procedure enforcement. The Change Manager, in combination with the CAB, has approval/rejection rights over submitted modification requests.
Configuration Item: The fundamental structural unit of an information technology solution. Examples include, but are not limited to, requirement documents, software, hardware, models and plans.
COT Release Management Team:  The COT group that is charged with the review and implementation of modifications being made within hosted applications and infrastructure.
Enterprise Release Management: The process utilized to control the flow of changes into production from developed applications or those that require patching. Enterprise Release Management is an essential function for all organizations that are developing or purchasing software.
ITIL Framework:  A set of practices for IT Service Management (ITSM) that focuses on aligning IT services with the needs of business.
Release Manager: The Release Manager is responsible for planning and controlling the movement of Releases to live environments.  The Release Manager’s primary objective is to ensure that the integrity of the live environment is protected and that the correct components are released.
Release Notes: Step-by-step instructions to deploy the code, stored procedures, and/or reports associated with a Release.
Release Package:  A Release Package (also referred to as aRelease) consists of a single Release Unit or a structured set of Release Units.
Release Unit: A Release Unit is a set of new, changed and/or unchanged Configuration Items, which are tested and introduced into the live environment together to implement one or several approved Changes.
Requestor: The individual who is submitting the request for release deployment.
Security Vulnerability Assessment: A review conducted prior to production deployment to scan an application, to identify and address potential security vulnerabilities that could harm the enterprise.
Testing Environment:  A non-production environment in which all qualifying tests are executed.  The Testing Environment must be logically separated from the environment in which the application was developed, and must be configured similarly to the production system.
Production software applications are dependent upon IT infrastructure supported by the Commonwealth Office of Technology (COT).  As a result of Executive Order 2012-880, Regarding the Centralization of Information Technology Infrastructure across the Commonwealth, the interdependency between applications and infrastructure has grown.  The need for a strong release management policy is essential to ensuring the predictability and stability of both the applications serving the citizens and businesses of the Commonwealth, and the infrastructure on which they reside.
The purpose of this Policy is to ensure all software application updates are reviewed and implemented in a rational and predictable manner. As COT seeks to implement best practices form the ITIL framework, establishing policy, processes and procedures for managing software releases is paramount.  Effective application and enforcement of these standards is also essential to ensuring reliable delivery of services. 
This policy does not detail every step required for promoting a change to production but rather the common requirements for effective management of these activities.
Agencies are responsible for the following prerequisites prior to requesting deployment of software code to the production environment:
1.    For new application deployments or major releases, completion of a Security Vulnerability Assessment in the Testing Environment, with verifiable proof thereof.  A Vulnerability Assessment Notification form (COT-F110) shall be submitted to the Commonwealth Service Desk at least 30 days prior to deployment.
2.    Completion of successful testing of all modifications in the Testing Environment, with verifiable proof thereof. 
3.    Verification of secondary dependencies or system interactions which could be affected by deployment.
4.    Creation of release notes outlining all changes contained within the release package.
5.    Development of an implementation plan and installation instructions.
6.    Verification of testing of the implementation plan and implementation instructions on a non-production system.  The test system must be logically separated from the environment in which the application was developed, and configured similarly to the production system.
7.    Development of a working roll-back strategy for the modifications.
Requests for deployment shall be submitted to the Commonwealth Service Desk via email on form COT-F052, Application Code Movement Form.  The request must be submitted by or contain approval from an Agency IT Services Contact.  COT reserves the right to reject any request that does not meet the necessary prerequisites, or is submitted in an incomplete or improper fashion. 
This page was last modified 12/22/2016 12:48 PM

Return to CIO Policies Home Page








Agency IT Services Contact Listing:

COT-F052 Application Code Movement Form for Distributed Systems

COT-F110 Vulnerability Assessment Notification Form