Program Change Management Control Policy

Through this Program Change Management Control Policy, NYU strives to protect reasonably and appropriately the security, reliability, confidentiality, integrity, availability, and auditability of designated University computer applications, associated programs, repositories, and data. All changes to the production environment of those designated systems must follow a formal, documented program change management control process. It is the responsibility of those who install, operate, or maintain the designated University applications and associated programs and databases to comply with and follow the program change management control process and this Policy. The detailed procedures and business rules of the various schools and departments of the University for implementing this Policy shall be maintained.

Changes are made to production application services in order to add capabilities, improve performance, and increase reliability. By following a well thought-out, documented, and auditable program change management control process, NYU seeks to limit risks associated with making these changes.

The Policy Statement and the Operational Requirements define the fundamental precepts which govern the implementation of program change management control processes throughout New York University. This Policy is part of the IT Controls framework which, in turn, is integral to an effective internal control structure. This Policy, in conjunction with the Application Security Management Control Policy and the Policy on Responsible Use of NYU Computers and Data, provides the basis for a strong security environment for key University applications.

Affected by this Policy are all schools and departments of New York University and all members of the NYU community in those schools and departments.

1. Designation of Systems
   Appropriate University leaders shall designate certain systems to be subject to this Policy; for other systems, this Policy is only advisory, but adherence to the Policy is strongly recommended.
2. Designation of Roles
   1. Appropriate University leaders may delegate program change management control responsibilities.
   2. If the system is determined to be subject to this Policy, the roles of the individuals in the areas responsible for making or authorizing changes to the production environment must be defined and designated.
   3. For any given University application, associated program, repository, and data, the roles of the individuals in the areas who are responsible for making or sponsoring changes to the production environment, including execution and sign-off, shall be clarified and documented. Those designated individuals may be responsible for technical support or may be responsible for business functionality and use, or both.
   4. The designated individuals in the specific areas entrusted with overall responsibility for the program change management control process may delegate those responsibilities as they deem appropriate.
      1. The specific change management control procedures shall be clear as to the roles and responsibilities of the individuals throughout the program change management process so that the minimum necessary data and systems are accessed.
      2. The specific change management control procedures shall be clear as to the separation of duties and responsibilities throughout the program change management process so that there is appropriate oversight and checks and balances.
   5. Those designated individuals responsible for making or sponsoring changes to the production environment have the obligation to inform and coordinate fully with all the affected parties.
   6. The responsibilities of the designated individuals apply to the particular system; designated individuals may be responsible for multiple systems.  
   7. All individuals who have a role in any phase of the program change management control process must be provided appropriate ongoing education and training.
3. Program Change Management Control Process
   
   1. The program change management control process shall be documented and shall consist of the following phases:
      1. Submission
      2. Evaluation: Approval/Response Options/Modification
      3. Assignment
      4.  Development
      5. Testing and Sign-off
      6. Migration
      7. Implementation Management
      8. Communication and Training
      9. Report and Control
      10. Monitoring/Tracking of Requests
      11. Documentation, Version Control, and Retention
   2. The individuals who have specific system responsibilities in one or more of these phases shall be designated and their specific responsibilities shall be documented. Evidence of fulfillment of the specified roles shall be maintained either electronically or on paper for every change in each phase in order to document the appropriate operation of the program change management controls.
   3. The program change management control process documentation shall stipulate where the documentary evidence is maintained and how conformance with the procedures is monitored.
   4. Documented evidence (e.g., specifications, test scripts) that the program change management control process has been followed in all phases, including evidence of changes made to backup and disaster recovery plans, shall be retained either electronically or on paper for a minimum of one full fiscal year following the completion of the program change management control process or as designated by University policy or governmental regulation, whichever is longer, and maintained in a secure fashion.
   5. A mechanism for regular periodic review that the program change management control procedure is being followed shall be created and those reviews shall be documented either electronically or on paper and shall be retained for a minimum of one full fiscal year following the completion of the program change management control process or as designated by University policy or governmental regulation, whichever is longer, and maintained in a secure fashion.
   6. Appropriate user awareness and training shall be provided whenever a significant change is made to the production environment. Such training shall include on-site or remote methods, and documentation of such training shall be retained and secured.

1. Change refers to any process of moving from one defined state to another, including implementation of new functionality, actions taken in response to interruption of service, and repair or removal of existing functionality.
2. Program change management is the ongoing process that includes requesting, evaluating, scheduling, implementing, monitoring, reviewing, coordinating, communicating, and documenting all types of change to the information technology environment. The change management process produces approval (or otherwise) for any proposed change. Change management is responsible for managing change processes involving: hardware, communications equipment and software, system software, “live” applications software, and all documentation and procedures associated with the running, support, and maintenance of live systems.

1. NYU Guidelines for compliance with the Family Educational Rights and Privacy Act (FERPA)
2. NYU Information Technology Policies
3. NYU Student’s Guide, Policies and Procedures
4. NYU HIPAA Information Security Policies
5. Guidelines on equipment disposal or redeployment: Asset Management and Standard for Destruction and Disposal of Electronic Equipment and Data
6. Email address for computer security assistance and advice: security@nyu.edu
7. Email address for policy clarifications and suggestions: cio.policies@nyu.edu
8. Email address to report policy violations: cio.policies@nyu.edu
   

Designated applications under this Policy are:

1. fame
2. PeopleSync
3. Student Information (SIS)