Policy

top

Through this Program Change Management Control Policy, NYU strives to protect reasonably and appropriately the security, reliability, confidentiality, integrity, availability, and auditability of designated University computer applications, associated programs, repositories, and data. All changes to the production environment of those designated systems must follow a formal, documented program change management control process. It is the responsibility of those who install, operate, or maintain the designated University applications and associated programs and databases to comply with and follow the program change management control process and this Policy. The detailed procedures and business rules of the various schools and departments of the University for implementing this Policy shall be maintained.

Purpose of this Policy

top

Changes are made to production application services in order to add capabilities, improve performance, and increase reliability. By following a well thought-out, documented, and auditable program change management control process, NYU seeks to limit risks associated with making these changes.

The Policy Statement and the Operational Requirements define the fundamental precepts which govern the implementation of program change management control processes throughout New York University. This Policy is part of the IT Controls framework which, in turn, is integral to an effective internal control structure. This Policy, in conjunction with the Application Security Management Control Policy and the Policy on Responsible Use of NYU Computers and Data, provides the basis for a strong security environment for key University applications.

Scope of this Policy

top

Affected by this Policy are all schools and departments of New York University and all members of the NYU community in those schools and departments.

Operational Requirements

top
  1. Designation of Systems
    Appropriate University leaders shall designate certain systems to be subject to this Policy; for other systems, this Policy is only advisory, but adherence to the Policy is strongly recommended.
  2. Designation of Roles
    1. Appropriate University leaders may delegate program change management control responsibilities.
    2. If the system is determined to be subject to this Policy, the roles of the individuals in the areas responsible for making or authorizing changes to the production environment must be defined and designated.
    3. For any given University application, associated program, repository, and data, the roles of the individuals in the areas who are responsible for making or sponsoring changes to the production environment, including execution and sign-off, shall be clarified and documented. Those designated individuals may be responsible for technical support or may be responsible for business functionality and use, or both.
    4. The designated individuals in the specific areas entrusted with overall responsibility for the program change management control process may delegate those responsibilities as they deem appropriate.
      1. The specific change management control procedures shall be clear as to the roles and responsibilities of the individuals throughout the program change management process so that the minimum necessary data and systems are accessed.
      2. The specific change management control procedures shall be clear as to the separation of duties and responsibilities throughout the program change management process so that there is appropriate oversight and checks and balances.
    5. Those designated individuals responsible for making or sponsoring changes to the production environment have the obligation to inform and coordinate fully with all the affected parties.
    6. The responsibilities of the designated individuals apply to the particular system; designated individuals may be responsible for multiple systems.  
    7. All individuals who have a role in any phase of the program change management control process must be provided appropriate ongoing education and training.
  3. Program Change Management Control Process
    1. The program change management control process shall be documented and shall consist of the following phases:
      1. Submission
      2. Evaluation: Approval/Response Options/Modification
      3. Assignment
      4.  Development
      5. Testing and Sign-off
      6. Migration
      7. Implementation Management
      8. Communication and Training
      9. Report and Control
      10. Monitoring/Tracking of Requests
      11. Documentation, Version Control, and Retention
    2. The individuals who have specific system responsibilities in one or more of these phases shall be designated and their specific responsibilities shall be documented. Evidence of fulfillment of the specified roles shall be maintained either electronically or on paper for every change in each phase in order to document the appropriate operation of the program change management controls.
    3. The program change management control process documentation shall stipulate where the documentary evidence is maintained and how conformance with the procedures is monitored.
    4. Documented evidence (e.g., specifications, test scripts) that the program change management control process has been followed in all phases, including evidence of changes made to backup and disaster recovery plans, shall be retained either electronically or on paper for a minimum of one full fiscal year following the completion of the program change management control process or as designated by University policy or governmental regulation, whichever is longer, and maintained in a secure fashion.
    5. A mechanism for regular periodic review that the program change management control procedure is being followed shall be created and those reviews shall be documented either electronically or on paper and shall be retained for a minimum of one full fiscal year following the completion of the program change management control process or as designated by University policy or governmental regulation, whichever is longer, and maintained in a secure fashion.
    6. Appropriate user awareness and training shall be provided whenever a significant change is made to the production environment. Such training shall include on-site or remote methods, and documentation of such training shall be retained and secured.

Policy Definitions

top
  1. Change refers to any process of moving from one defined state to another, including implementation of new functionality, actions taken in response to interruption of service, and repair or removal of existing functionality.
  2. Program change management is the ongoing process that includes requesting, evaluating, scheduling, implementing, monitoring, reviewing, coordinating, communicating, and documenting all types of change to the information technology environment. The change management process produces approval (or otherwise) for any proposed change. Change management is responsible for managing change processes involving: hardware, communications equipment and software, system software, “live” applications software, and all documentation and procedures associated with the running, support, and maintenance of live systems.

Related Documents and Resources

top

Appendix

top

Designated applications under this Policy are:

  1. fame
  2. PeopleSync
  3. Student Information (SIS)

Notes
top
  1. Dates of official enactment and amendments: Feb 15, 2006
  2. History: Last Reviewed: January 8, 2024; Last Revised: August 3, 2021
  3. Cross References: N/A