CIO-101 Enterprise Software Change Management Policy

Office of the Chief Information Officer Enterprise Policy
CIO-101: Enterprise Software Change Management Policy
Effective Date: 06/22/2016 
Revised: 10/23/2018
Reviewed: 10/23/2018

Policy Statement: This policy establishes controls concerning Enterprise Software Change Management.  The policy provides guidance in decision-making and practices that optimize resources, mitigate risk, and maximize return on investment. 
·         Enterprise Software Change Management:  The process of controlling changes from developed, patched, or purchased applications entering the production environment.  
·         Release Notes:  Instructions for deploying the code, stored procedures, and/or reports associated with a change to software.
·         Release Package:  A single release unit or a structured set of release units, consisting of new, changed and/or unchanged configuration items.
·         Testing Environment:  A non-production environment—logically separated from the environment in which the application was developed, and configured similarly to the production environment.
·         COT Change Management Team:  Commonwealth Office of Technology (COT) employees that review and implement modifications made within hosted applications and infrastructure.
·         Agency Release Team:  Agency employees that plan and control the release of software into the production environment, test, and implement software modifications. 
This policy establishes a framework for controlling modifications to the Commonwealth of Kentuckys production software applications.  Because production software applications operate on IT infrastructure supported by COT, this policy is essential to the predictability and stability of the applications, and of the infrastructure where the applications reside.
An agency may deploy software changes directly to the production environment if the agency meets the following requirements: 
a)    Agency shall assign an Agency Release Team responsible for coordinating with the COT Change Management Team.
b)    Agency shall utilize a COT standard release management system of record as outlined in the Enterprise Architecture and Kentucky Information Technology Standards (KITS).
c)    Agency shall provide the COT Change Management Team access to and training for the software, sufficient to support COT rollbacks, deploys, review, and audit.  For any release, the default action in the event of an issue is an immediate rollback and analysis of the appropriate lower level system (usually UAT).  This action must be taken immediately at the discretion of the application owner or COT.
Alternatively, an agency may contact the COT Change Management team to arrange for COT Enterprise Software Change Management services.  These services require the Agency Release Team to coordinate with the COT Change Management Team.  Agencies requesting COT to deploy software into the production environment shall:
a)    Create Release Notes outlining all changes contained within the Release Package and identifying secondary dependencies or system interactions.
b)    Develop an implementation plan and installation instructions that include a rollback strategy.
c)    Complete successful testing of all modifications on a non-production system following the plan and instructions. 
d)    Identify the tester that provided change approval.
e)    Request deployment of the code. 
For new application deployments or significant changes to existing applications, agencies shall complete a security vulnerability assessment in the Testing Environment.
Authority: KRS 42.726 authorizes the Commonwealth Office of Technology (COT) to develop policies and compliance processes to support and promote the effective applications of information technology within the executive branch of state government.
Applicability:  All executive branch agencies, and non-executive branch agencies using COT-managed infrastructure or services, shall adhere to this policy.  This includes employees, contractors, consultants, temporaries, volunteers, and other workers within state government.
Responsibility for Compliance:  Each agency shall ensure that staff within their organizational authority are made aware of and comply with this policy. The agency is responsible for enforcing it.  Unauthorized and/or neglectful actions regarding this policy may result in disciplinary action up to and including dismissal.  COT may require additional service charges for remediation efforts due to non-compliance with this policy.
Maintenance:  COT’s Office of IT Architecture and Governance is responsible for maintaining this policy.  Organizations may modify this policy to fulfill their responsibilities, but shall obtain approval through an exception request.  Organization staff should refer to their internal policy, which may have additional information or clarification.
Review Cycle:  COT will review this policy at least every two years.
This page was last modified 8/6/2019 6:10 PM