Application Change Management Procedure General
The System Service Request (SSR) is used to initiate and document all programming activity. It is used to communicate customer needs to Application Development (AD) personnel. An SSR may be initiated and prepared by a customer, a member of the AD staff, or any other individual who has identified a need or requirement, a problem, or an enhancement to an application. No tasks are to be undertaken without a completed SSR.
System Service Request General
This form, specifying the desired results to be achieved, is completed by the customer and sent, together with supporting documentation, to AD. The request may include the identification of a problem or the documentation of a new request. Customers are encouraged to submit their request in sufficient detail to permit the AD project leader to accurately estimate the ef fort needed to satisfy the request, but it may be necessary for the project leader to contact the customer and obtain supplementary information. This information should be attached to a copy of the SSR.
After the requested programs have been completed, the agreed-upon Acceptance tests will be conducted. After the customer has verified that the request has been satisfied, the customer will indicate approval on the SSR. This form will also be used to document that the completed project has been placed into production status.
Processing
This section describes the processing of a System Service Request:
1. The customer initiates the process by completing the SSR and forwarding it to the appropriate Project Manager (PM) or the Director of Application Development.
2. The SSR is received in the AD department. Regardless of who in AD actually receives the SSR, it must be delivered to the appropriate PM.
3. If the PM finds the description of requirements on the SSR inadequate or unclear, the PM will directly contact the customer for clarification.
When the PM fully understands the requirements, the PM will prepare an analysis and an estimate of the effort required to satisfy the request. In some cases, the PM may feel that it is either impossible or impractical to satisfy the request. In this case, the PM will discuss with the customer the reasons why the request should not be implemented. If the customer reaffirms the request, the PM and Director of AD will jointly determine whether to appeal the customer’s decision to the Information Systems Steering Committee for a final ruling on the SSR.
1. If the project estimate is forty (40) hours or less, the detailed design should be reviewed with the customer. After design concurrence has been reviewed, the PM will project the tentative target date (TTD) for completion of the SSR. In setting the TTD, the PM will take into consideration the resources available and other project commitments. The TTD will be promptly communicated to the requesting customer.
2. If the project estimate exceeds forty (40) hours, the SSR and any supplemental project documentation will be forwarded to the ISSC for review, priority determination, and authorization to proceed.
The committee will determine whether the requested change is to be scheduled for immediate implementation, scheduled for future implementation, or disapproved. If the request is disapproved, it is immediately returned to the customer, together with an explanation of the reason(s) for disapproval. If it is approved for implementation, a priority designation is made and the SSR is returned to AD for implementation scheduling.
After implementation authorization has been received, the detailed design should be reviewed with the customer. After design concurrence has been received, the PM will project a TTD for
completion of the project. In setting a TTD, the PM will take into consideration resources available and other project commitments. The TTD will be promptly communicated to the customer. 1. The PM will coordinate with AD personnel and other IT management and staff personnel (such
as Database Administration, User Support Services, Network Administration, etc.) as to the resources that will be required to satisfy this request, or if there will be an operational or procedural impact in the other areas.
2. The PM will contact the customer to discuss, in detail, the test(s) that are to be conducted. 3. When Acceptance Testing (AT) has been completed, and the customer has verified the accuracy
of the results obtained, the customer will indicate its approval to place the project into production by signing the SSR.
4. The Production Control Group (PCG) will place the project into production status. The PM will complete the bottom portion of the SSR, documenting that the project has been placed into production. The PM will log the status of the request as “completed” and file a copy of the SSR. The PM will promptly notify the customer that the project has been completed and placed into production.
Retention of Forms and Documentation
All documentation associated with the processing of each SSR will be retained for at least twelve (12) months.
• Meet business objectives. Security professionals must learn that the controls must help
the organization to an acceptable level of risk. One hundred percent security is zero percent productivity. Whenever controls or policy impact the business objectives or mission of the organization, then the controls and policy will lose. Work to understand that the policy exists to support the business, not the other way round.
The information security policy should cover all forms of information. In 1965 the computer industry introduced the concept of the “paperless office.” The advent of the third-generation computers had many in management believing that all information would be stored and secured electronically and that paper would become obsolete. When we talk to management about establishing an information security policy, it will be necessary to discuss with them the need to extend the policy to cover all information wherever it is found and in whatever format it exists. Computer-held information comprises a small percentage of the organization’s entire information resources. Make sure the policy meets the needs of your organization.