Policy 110 Information Technology Change Control and Management 

Purpose 

Policy 110: Information Technology Change Control and Management requires the development and application of processes to maintain the security and integrity of information assets (e.g., hardware, software, firmware) throughout their lifecycles. This process includes planning, developing, testing, and documenting changes, training personnel, and communicating changes to the WashU community (faculty, staff, students, and agents of the university).

Applicability and Audience 

This policy applies to all information resources that are owned, leased, vended, contracted, or operated by the university. This includes hardware, software, systems, and data. 

This policy affects WashU community members with elevated permissions for making changes to the operations or functions of applications, systems, and/or infrastructure.  

All members of the WashU Community should be aware of this policy, including faculty, staff, students, and any agent engaged for contracted services to the university with access to WashU information, systems, and networks. This includes, but is not limited to partners, affiliates, contractors, temporary employees, trainees, guests, and volunteers.  

Information Security Roles and Responsibilities (100.01) 

Policy

110.00 Introduction

IT Technical Change Management addresses IT asset management throughout the asset lifecycle to prevent disruptions to IT services. The Office of Information Security participates in change management processes, focusing more narrowly on security-related changes, as described in this policy.  

Information Security change management allows the university to maintain the Confidentiality, Integrity, and Availability (CIA) of WashU information resources by monitoring and controlling security-related changes to critical assets and infrastructure. The change management process encompasses the addition, change, and removal of university information resources. Effective management and communication of changes minimizes the risk of security vulnerabilities and events when updating information systems.  

The primary goals of Information Security change control and management are to:  

  1. Make changes as required to remediate vulnerabilities and protect the security of WashU information resources.  
  2. Ensure that changes do not create new security vulnerabilities. 
  3. Manage changes according to a clearly communicated and predictable plan.  

The information security change management process includes, but is not limited to, the following functions:

  • Changing the baseline configuration of system and infrastructure security  
  • Changing the security configuration settings of information resources such as operating systems, applications, firewalls, routers, and mobile devices  
  • Updating software, applications, and databases. Refer to Policy 111: Information Security for Software Development, Management, and Administration for more information  
  • Tracking the following: security-related change requests, implemented changes, and change impacts 
  • Rolling back changes as necessary to resolve unintended negative impacts  
  • Identifying and addressing unauthorized changes   
  • Communicating criteria for assets subject to configuration changes (i.e., assets that will be managed according to the configuration change plan) 
  • Detailing the process by which configuration changes are approved, executed, and monitored 
  • Providing training guidelines 

With the support of OIS, System Owners will develop, maintain, and follow appropriately formal procedures for change management that consider risks to the CIA of information resources. Refer to Policy 100, Section 100.01 Roles and Responsibilities for additional information.  

110.01 Organizational Assets that Require Information Security Change Control and Management

Configuration items include any system or infrastructure components, documents, or other items that need to be managed to prevent errors in critical and important WashU information resources. Please visit the WashU IT Asset Management (ITAM) page for additional information.  

The OIS will work with system owners within departments and schools to test and approve baseline configurations for assets. Baselines will address the following attributes:  

  • Security posture (e.g., controls, architecture, configuration, system and application hardening, settings)
  • Installed software  
  • Patch levels  
  • System function  

110.02 Change Process

System Owners within departments and schools will develop and maintain documented processes, informed by system and information classification, for managing security changes. Refer to the IT Technical Change Management page for specific details about making a change request. 

110.03 Change Management Monitoring

The OIS and System Owners will develop processes to detect and mitigate change-related security risks by: 

  • Identifying affected systems and components that were not specified in the change management documentation. 
  • Detecting discrepancies between authorized baselines and implemented baselines.  
  • Detecting unauthorized changes in system logs. 
  • Collecting audit and configuration control records to track access to the system and copying or use of source codes. 
  • Determining remediation actions. 

110.04 Change Management Awareness and Training  

As necessary, the OIS will develop training and awareness campaigns pertaining to security-related changes. IT staff, project managers, engineers, and other personnel involved in the change process will engage in ongoing professional development to enhance their knowledge, skills, and abilities for evaluating, approving, initiating, and monitoring changes. 

Policy Compliance

The Office of Information Security (OIS) will evaluate compliance with this policy using various methods, including reports, internal and external audits, and feedback to the policy owner. If compliance with this policy is not feasible, technically possible, or practical users should request an exception from the OIS. Exceptions to this policy must be approved by the OIS in advance. Non-compliance could lead to disciplinary action as determined by management, Area Specific Compliance Office, Human Resources, or the Office of Student Conduct. 

Internal Audit will independently review and assess compliance with this policy, reporting findings and recommendations to senior management and the Board of Trustees. 

Related Policies, Standards, and Guidelines 

Policy 111: Information Security Software Development, Management, and Administration  

References 

Cybersecurity and Infrastructure Security Agency, Configuration and Change Management, Version 1.1  

National Institute of Standards and Technology (2018) Cybersecurity Framework 

National Institute of Standards and Technology (2020) Special Publication 800-53, Rev. 5 

Policy Review

This policy will be reviewed by the OIS at a minimum of every three years.   

Policy Number and Title: 110: Information Security Change Control and Management  

Owner: Office of Information Security  

Approved By: Cyber Security Executive Advisory Committee

Original Approval Date: November 17, 2023

Current Version Publication Date: April 18, 2024