Change Management Policy

PURPOSESCOPEPOLICYEXCEPTIONSPOLICY COMPLIANCE AND MONITORINGPOLICY REVIEWDEFINITIONSSUPPORTING DOCUMENTATIONREVISION HISTORY

Policy Owner: Manager, IT Performance Achievement

Note: An owner must be a PCES-level manager.

PURPOSE

This document provides formally documented management expectations and intentions and is used to direct decisions and ensure consistent and appropriate development and implementation of processes, standards, roles, and activities.

The purpose of this policy is to ensure that any changes to the Postal Service Technology Environments are managed through an established process. United States Postal Service (USPS) will utilize the best practice framework (e.g., Information Technology Infrastructure Library [ITIL]) for the implementation of Change Management within the Postal Service Technology Environments.

Change Management is the process that controls the life cycle of all changes, enabling beneficial changes to be made with minimum disruption to IT services.

The goals of the Postal Service Change Management Policy include the following:

SCOPE

This policy applies to all Postal Service personnel and contracted vendors involved in activities that cause or require changes to technology solutions within the Postal Service Technology Environments.

IT environments designated by the IT Leadership Team, including, but not limited to, applications, data, network, platforms, databases, middleware services, computing facilities, and systems management are covered under this policy. The Change Management Policy also applies to the design, configurations, parameters, and documentation of those components. This document is used in conjunction with all IT and Security Policies, Processes, and Standards, including those listed in the Supporting Documentation section.

POLICY

The following policy is established for Change Management:

EXCEPTIONS

Any requests for exceptions to this policy must be submitted in writing and will be reviewed on a case-by-case basis. Exceptions shall be permitted only after documented approval from the IT Leadership Team.

POLICY COMPLIANCE AND MONITORING

CRs will be audited on a periodic basis by the Change Management team for policy compliance. The appropriate IT executive manager will be notified of any individual who violates the policy. The violation may be subject to review and further actions.

POLICY REVIEW

The Change Management Policy will be reviewed on the following basis:

DEFINITIONS

Back-Out Plan: A plan used in the event that a change moved into production causes unwanted results and the system must be returned to a previous functional version to restore business operations.

Change Management: Controls the life cycle of all changes, enabling beneficial changes to be made with minimum disruption to IT services.

Change Request (CR): A formal request for change to any component of an IT infrastructure or to any aspect of an IT Service which is to be made to the IT Production Environment.

CMDB: A CMDB is an abbreviation for the term "Configuration Management Database" which is used to store configuration records throughout their life cycle. The configuration management system maintains one or more configuration management databases in which each database stores attributes of configuration items and the relationships with other configuration items.

Configuration Item (Cfg-Item): A Cfg-Item is an abbreviation for the term "Configuration Item," which refers to any service asset component that needs to be managed in order to deliver an IT service. Information about each configuration item is recorded in a configuration record within the configuration management system and is maintained throughout its life cycle by service asset and configuration management. Configuration items are under the control of change management. They typically include IT services, hardware, software, buildings, people, and formal documentation such as process documentation and service level agreements.

In-Scope Environments and Applications: Pertains to those environments and/or applications, regardless of parent environment, that are subject to the Change Management Policy and associated processes.

IT Leadership Team: An executive body responsible for the guidance and direction of USPS IT Service Management.

Implementation Plan: A detailed plan explaining the activities necessary to implement the CR into the production and/or DEV, SIT, and CAT environment is referenced in another document.

Impact: The extent to which the change affects the business. Impact can be measured by the number of people affected, the criticality of the system affected, and the loss of revenue as a result of service degradation or disruption.

Risk: Defines the probability levels for disruption of service and/or usability as a result of implementing this change.

Production Environment: All system, process, and documentation components used in IT production.

Production Equivalent Environment: Any IT environment such as CAT, Training, Pre-Production, and TEM which are subject to adhering to Change Management policy controls as directed by the IT Leadership Team.

SUPPORTING DOCUMENTATION

Access Supporting Documentation from ITWEB (internal):

Access Supporting Documentation from USPS.com (external):

REVISION history

Non-substantive updates:

Version
Date
Description
1.0 02.26.2010 Initial release
1.1 08.25.2010 Updated the look and feel to be consistent with the other policies, processes, and standards.
2.0 09.14.2012 Introduction: Updated policy owner, added policy sponsor

Purpose: Added best practice and compliance statements.

Scope: Redefined environments

Policy:

  • Removed references to production and CAT environments
  • Added:
    • Statement that the corporate-approved standard tool must be used for Change Requests.
    • References to the ITSM Steering Committee.
    • Added requirements for back-out and implementation plans.
    • Defined how Change Requests must be submitted and approval required for updates/changes to any Change Request.
    • Requirement to include notification to and/or approval from business operations for changes that affect them.
    • Added CIs changes must be updated in the CMDB and conform to the CMDB policy.
    • Training is required prior to access to the tool.
    • Best practice and compliance statement.

Policy Compliance and Monitoring; Exceptions; Policy Review; Definitions: New sections

3.0 07.17.2013 Rewritten to remove tool-specific references and updated to address SOX and PCI compliance requirements.
3.1 08.09.2013 Supporting Documentation: Added link to IT Reporting / Helpful Links.
3.2 11.07.2014 Policy: Added functionality testing requirement for PCI in-scope systems.
3.2.1 06.26.2015 Annual Review: The annual review for functional accuracy and current PCI DSS requirements has been completed. CR 84436.

Non-substantive updates:

  • Link to IT Self Help replaced by link to ServiceNow
  • Link to IT Reporting / Helpful Links replaced by link to ServiceNow Change Management User Guide
  • Link to retired Configuration Management Standards deleted
3.3 11.06.2015 Annual Review: The annual review for functional accuracy and current PCI requirements has been completed. CR 122936.

Entire document: Changed ITSM Steering Committee to IT Leadership Team.

Policy:

  • Clarified requirements for back-out plans.
  • Changed requirement for "Direct PCES Manager" approval to "PCES Manager" approval.
  • Changed "change must be restarted" to "CR must be cancelled" to align with current functionality.
  • Changed time a CR may be open from 45 to 60 days.

Supporting Documentation: Added "Create a Change Request for PCI In-Scope Changes" procedure.

3.4 05.16.2016 Supporting Documentation section: Added ServiceNow – Change Management Approval Matrix.
Updated the Policy section regarding core business hours and specifying the need for PCES-level approvals for Production changes occurring during core business hours.
3.4.1 06.09.2016 Non-substantive update: Updated the hyperlink to Create a Change Request for PCI In-Scope Changes.
3.5 07.22.2016 Policy section: clarified exceptions as non-PCI systems and clarified PCI Environment.

Annual Review: The annual review for functional accuracy and current PCI requirements has been completed. CR 195809