Mitchell Hamline School of Law

Mitchell Hamline Policy Repository

Change Management Policy

Posted: May 18, 2023

Applies to: Staff

Policy Holder: Administrative Information Technology

Responsible Office: Administrative Information Technology

Contact Information: Chief Information Officer

Effective Date: March 1, 2023

Last Review Date: March 1, 2023

Approved by: Vice President of Finance and Administration

1.0 Background and Purpose

The purpose of the Mitchell Hamline School of Law (MHSL) Change Management/Control Policy is to establish the rules for the creation, evaluation, implementation, and tracking of changes made to MHSL Information Resources.

1.1 Who Needs to Know?

The MHSL Change Management/Control Policy applies to any individual, entity, or process that create, evaluate, and/or implement changes to MHSL Information Resource.

2.0 Policy

  • Changes to production MHSL Information Resources must be documented and classified according to their:
    • Importance,
    • Urgency,
    • Impact, and
    • Complexity.
  • Change documentation must include, at a minimum:
    • Date of submission and date of change,
    • Owner and custodian contact information,
    • Nature of the change,
    • Change requestor,
    • Change classification(s),
    • Roll-back plan,
    • Change approver,
    • Change implementer, and
    • An indication of success or failure.
  • Changes with a significant potential impact to MHSL Information Resources must be scheduled.
  • MHSL Information Resource owners must be notified of changes that affect the systems they are responsible for.
  • Authorized change windows must be established for changes with a high potential impact.
  • Changes with a significant potential impact and/or significant complexity must have usability, security, and impact testing and back out plans included in the change documentation.
  • Change control documentation must be maintained in accordance with the MHSL Data Retention Schedule.
  • Changes made to MHSL customer environments and/or applications must be communicated to customers, in accordance with governing agreements and/or contracts.
  • All changes must be approved by the Information Resource Owner, CIO/Director of Information Technology.
  • Emergency changes (i.e. break/fix, incident response, zero day threats etc.) may be implemented immediately and complete the change control process retroactively.