Change Management Policy

Purpose 

Southwestern Oklahoma State University (SWOSU) is committed to ensure that changes made to SWOSU IT resources minimize potential negative impact on any SWOSU IT services. Effective change management requires planning, communication, monitoring, rollback, and follow-up procedures to reduce negative impact on the user community. 

This policy defines how changes are made to SWOSU technology, including but not limited to servers, networks, applications, and data. Following this policy will reduce the risk of incidents that will preserve the integrity of business operations and reporting. Without policy procedures, the risk of incidents would be higher, and accountability for IT changes would be insufficiently documented. The goal of this policy is to reduce the risk of incidents when changes are made to the IT infrastructure and applications. Change Management reduces risk through use of standardized set of procedures to document, communicate and implement changes. 

Scope 

This IT policy applies to all SWOSU staff, faculty, and university units who use, access, or otherwise employ, locally or remotely, and systems that undergo changes which have the potential to impact the university’s operations, infrastructure, processes, or services. Adherence to this policy helps safeguard the confidentiality, integrity, and availability of SWOSU’s information assets, and protects the interest of SWOSU, its customers, personnel, and business partners. This policy works in conjunction with the Change Management Log.  

Statement 

Southwestern Oklahoma State University recognizes the importance of effective change management to ensure the successful implementation of changes that impact the universities' operations, processes, and systems. This Change Management Policy establishes guidelines and procedures for managing changes in a structured and controlled manner to minimize disruption and maximize the benefits of change within the university. 

Changes to information resources and services are managed and executed according to a formal change control process. The control process ensures that changes that are proposed are reviewed, authorized, tested, implemented, and released in a controlled manner and that the status of each change is monitored and documented. 

Objectives 

In issuing this policy, SWOSU is guided by the following objectives. 

  1. Minimize disruption: Ensure that changes are planned, tested, and implemented in a manner that minimizes disruptions to ongoing operations and services. 

  2. Increase recording: Ensure that changes are recorded and evaluated, and that authorized changes are prioritized, documented in the Change Management Log, and reviewed in a controlled manner. 

  3. Increase efficiency: Improve efficiency and effectiveness by identifying and implementing process improvements and optimizing the use of resources through the change management process. 

  4. Enhance communication: Promote effective communication and collaboration among stakeholders involved in the change process to ensure transparency, shared understanding, and support throughout the change lifecycle. 

  5. Mitigate risks: Identify and mitigate risks associated with changes, including potential negative impacts on quality, security, compliance, and stakeholder satisfaction. 

  6. Maximize benefits: Facilitate the realization of benefits from changes by aligning them with organizational goals, objectives, and strategic priorities. 

Policy 

  1. Policy Definitions 

  • Change Management- This term refers to the addition, modification, or removal of anything that could affect IT services. The scope of changes could include changes to all architecture, process, tools, metrics, and documentation, as well as changes to IT services and other configuration items. 

  • Change Request- This term refers to a documented request to modify any IT service or infrastructure.  

  • Change Initiator- The individual or department proposing a change and initiating the change request. 

  • Change Management Team- The team responsible for planning, coordinating, and executing change activities. 

  • Stakeholders- Individuals or groups affected by or involved in the change. Includes end-users, managers, IT personnel, and other relevant parties. 

  • IT Resources or ITS Infrastructure- These terms refer to SWOSUs information processing resources including all SWOSU owned, licensed, or managed computing services, hardware, software, use of SWOSUs network via physical or wireless connection regardless of ownership of the computer or device connected to the network, database(s), and solution technologies managed by the Information Technology Services department.  

  • Standard or Minor changes- Changes to a service or to the IT infrastructure. These changes are performed on a regular basis and are considered routine. The implementation process and risks of these changes are known up front. These changes do not need to be requested or approved. Examples include: 

    • Application of a security patch for Windows servers. 

    • A new vulnerability has been identified, and a firewall rule is needed to block it. 

    • New printer installation 

  • Significant changes- Changes that will have a significant impact on multiple users, even if the change is simple to implement. These types of changes need to go through the change process before approval and implementation. Examples include: 

    • Moving a new development project into production 

    • Adding a new server 

    • Upgrade to a wireless controller 

    • Colleague updates 

  • Emergency changes- Changes that must be performed as soon as possible. These types of changes are completed to fix an IT resource outage or to address an issue that cannot wait for a normal review process. These changes are normally recorded after the change has been made. Examples include: 

    • Needing to fix a security breach that requires a patch to many workstations. 

    • Taking a part of the network offline so that computers cannot spread an infection. 

    • Wireless connectivity is broken due to a software bug which prompts an immediate upgrade to install. 

    • A patch to address critical, time-sensitive security vulnerability. 

  1. Policy Standards 

  1. All University IT Resources changes must be documented in the Change Management Log. This log must contain, but is not limited to: 

  • The date of change request. 

  • Reason for the change 

  • Summary of impact 

  • Who requested and who completed the change. 

  • The date change request was completed. 

  1. All changes to University IT Resources must follow the SWOSU ITS Change Control Process to ensure that the appropriate approvals, planning, and execution of requested changes are completed. 

  1. Change requests may not be required for non-production environments. 

  1. Change requests for production must include notes that the change has been successfully applied, tested, and verified in a non-production environment when such an environment exists. 

  1. Changes to the production environment must be examined before approval of the change request. The results will be used to determine the impact of the change by considering: 

  • The impact of the proposed change will have on business services if it is expected to cause a widespread outage, a loss of connectivity, or functionality to a specific group or groups. 

  • The risk involved in not making the change. 

  • The risk involved if the change does not go as planned. 

  • The predictability of the success of the change. 

  1. Change requests must be examined for security implications by members of the IT security staff. 

  1. Changes that will include changes that will result in significant user experiences must be conveyed to the affected audience, the Director of Information Technology, and the ITS Helpdesk. 

  1. If an incident occurs during the change request, a ‘lessons learned’ session should be held by proper members of the IT team and the incident response team. 

Procedure 

  1. Change Identification: 

  • Any individual or department identifying the need for a change must document and describe the change, including its rationale and potential impacts. 

  • The change initiator must submit the request to the ITS department via a Change Request Form. Any change item that will have an impact on PII (Personally Identifiable Information) should be noted as such with any additional information/requirements completed appropriately. 

  1. Change Evaluation: 

  • The ITS department will evaluate the change request, consider its feasibility, potential risks, impacts, resource requirements, and alignment with university goals. Requests are evaluated by corresponding ITS members depending on the change type and infrastructure effected. 

  • If necessary, the ITS department may request additional information or clarification from the change initiator. 

  • Requests will be vetted for security implications by ITS security members. 

  1. Change Approval: 

  • The ITS Director will approve change requests after being evaluated by the ITS office and ITS security members. 

  • The ITS Director has the right to deny a change request. 

  • Changes classified as an emergency change do not need to be evaluated and are sent directly to the ITS Director for approval. 

  1. Change Planning: 

  • Upon approval of the change request, a change management team will be assigned to plan and coordinate the change activities.  

  • The change management team will develop a comprehensive change plan that includes objectives, scope, timeline, resource requirements, communication strategy, and risk mitigation measures.  

  • The change plan will be reviewed and approved by relevant stakeholders before proceeding to implementation.  

  • The changes’ implementation will be scheduled based on the project plan determined by the change management team. 

  1. Change Implementation: 

  • The change management team will execute the change plan according to the defined timeline, ensuring that all necessary steps, tests, and approvals are followed. 

  • The ITS Director has the right to deny a scheduled or unscheduled change for reasons including but not limited to: 

    • Inadequate change planning or testing 

    • Concerns of system integration 

    • Missing or deficient roll-back plans 

    • Security risks or implications 

    • Negative impact to key business processes 

    • Timeframes do not align with scheduling resources. 

  • Changes will be implemented in a non-production environment when applicable. Testing will be conducted in the non-production environment when applicable. 

  • Regular communication and updates will be provided to stakeholders throughout the implementation process. 

  • In case of any unforeseen issues or risks during the implementation, appropriate mitigation measures will be enacted to minimize the impact on operations. 

  1. Change Review and Closure:  

  • Following the implementation, the change management team will conduct a post-implementation review to assess the success of the change, capture lessons learned, and identify areas for further improvement. 

  • Changes will be assessed for any system issues, any impacts to business procedures that the change may have had, and any security impacts that the change may have had.  

  • An assessment report will be filled out by the change management team and submitted to the ITS Director. 

  • Once the change is reviewed and validated, it will be formally closed, and relevant documentation will be updated to reflect the changes made. 

Related Laws, Regulations and Policies 

  1. Federal: Privacy Act of 1974; Family Education Rights and Privacy Act (FERPA); Gramm-Leach-Bliley Act (GLB-A); and the Health Insurance Portability and Accountability Act (HIPAA); Payment Card Industry (PCI) Data Security Standard (DSS). The process of change management should support these, and other applicable University policies found on the Information Technology Services policies website. 

Compliance 

All SWOSU employees and stakeholders involved in the change management process are required to adhere to this policy. Non-compliance may result in delays, disruptions, and potential risks to the university’s operations and services. Employees who violate this policy and its associated procedures may be subject to disciplinary action. 

Revision & Approval History 

Date of Change 

Version 

Responsible 

Summary of Change 

Date Approved 

Approved By 

June 2023 

ITS 

Created as policy 

6/26/2025 

ECC 

 

 

 

 

 

 

 

Print Article