All changes that may impact a production Agency information resource are configuration-controlled. Such change requests shall follow the ITIL Change Management Process as documented in the TTI Change Management Process document.
Changes to the production environment that are inadequately tested disrupt production environment. Management does not approve changes to the operating environment prior to implementation into production.
The organization:
a. Determines the types of changes to the information system that are configuration-controlled;
b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;
c. Documents configuration change decisions associated with the information system;
d. Implements approved configuration-controlled changes to the information system;
e. Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period];
f. Audits and reviews activities associated with configuration-controlled changes to the information system; and
g. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]].
Configuration changes are accepted prior to implementation.
No statewide control
Obtain configuration management policy; procedures addressing information system configuration change control; configuration management plan; information system design documentation; information system architecture and configuration documentation; change control records; information system audit records; other relevant documents or records and ascertain if :
(I)the organization employs automated mechanisms to document proposed changes to the information system;
(ii)the organization employs automated mechanisms to notify appropriate approval authorities;
(iii)the organization employs automated mechanisms to highlight approvals that have not been received in a timely manner;
(iv)the organization employs automated mechanisms to inhibit change until necessary approvals are received; and
(v)the organization employs automated mechanisms to document completed changes to the information system.
(vi)if the organization tests, validates, and documents changes to the information system before implementing the changes on the operational system
