Change Control and
Change Control and
Configuration Management
Configuration Management
1
II
VT 11
VT 11
ththAnnual conference
Annual conference
April 2010
April 2010
Gisele Fahmi, B.Eng., M.A.Sc. Gisele Fahmi, B.Eng., M.A.Sc.
Amgen is not responsible for the written
Amgen is not responsible for the written
b l
t t f thi
t ti
b l
t t f thi
t ti
DISCLAIMER
DISCLAIMER
2
or verbal content of this presentation
or verbal content of this presentation
Agenda
Agenda--Part 1
Part 1
Definitions and OverviewDefinitions and Overview
Change ControlChange Control
Configuration ManagementConfiguration Management
Change & Configuration Management RelationshipChange & Configuration Management Relationship
IS Change Control/ManagementIS Change Control/Management
TerminologyTerminology
Key Resources ResponsibilityKey Resources Responsibility
Type CategoriesType Categories
PhasesPhases
Process SummaryProcess Summary
TipsTips
Emergency/Urgent ChangesEmergency/Urgent Changes
Agenda
Agenda--Part 2
Part 2
IS Configuration ManagementIS Configuration Management
TerminologyTerminology
Key Resources ResponsibilityKey Resources Responsibility
PhasesPhases
Process SummaryProcess Summary
Tool tipsTool tips
Tool tipsTool tips
SummarySummary
Interactive sessionInteractive session
Definitions and Overview
Definitions and Overview
Change Control
Change Control
Change Control/Management is a formal process
Change Control/Management is a formal process
used to ensure that:
used to ensure that:
Changes to a product or system are introduced in a Changes to a product or system are introduced in a controlled and coordinated manner
controlled and coordinated manner
It reduces the possibility that unnecessary changes will It reduces the possibility that unnecessary changes will
b i t d d t t ith t f th ht b i t d d t t ith t f th ht
5
be introduced to a system without forethought, be introduced to a system without forethought, introducing faults into the system or undoing changes introducing faults into the system or undoing changes made by other users of software
made by other users of software
The goals of a change control procedure usually include:The goals of a change control procedure usually include:
Minimal disruption to servicesMinimal disruption to services
Reduction in backReduction in back--out activitiesout activities
CostCost--effective utilization of resources involved in implementing effective utilization of resources involved in implementing change
change
Definitions and Overview
Definitions and Overview
Change Control …Cont’d
Change Control …Cont’d
Change Management is
Change Management is
A structured approach to transitioning A structured approach to transitioning individualsindividuals, ,
teams
teams, and , and organizationsorganizationsfrom a current state to a from a current state to a desired future state (Source: Wikipedia)
desired future state (Source: Wikipedia)
The process during which the changes of a system are The process during which the changes of a system are
implemented in a controlled manner by following a pre implemented in a controlled manner by following a pre
6
implemented in a controlled manner by following a pre implemented in a controlled manner by following a pre--defined framework/model with, to some extent, defined framework/model with, to some extent, reasonable modifications
reasonable modifications
A systematic approach to proposing, evaluating, A systematic approach to proposing, evaluating, approving, implementing, and reviewing changes approving, implementing, and reviewing changes (Source: ICH Q10)
(Source: ICH Q10)
Definitions and Overview
Definitions and Overview
Configuration Management
Configuration Management
Configuration Management (CM) is a field
Configuration Management (CM) is a field
of management that focuses on
of management that focuses on
Establishing and maintaining consistency of a
Establishing and maintaining consistency of a
system's performance, its functional/physical
system's performance, its functional/physical
7
system s performance, its functional/physical
system s performance, its functional/physical
attributes with its requirements/design, and
attributes with its requirements/design, and
operational information throughout its life
operational information throughout its life
Definitions and Overview
Definitions and Overview
Configuration Management…Cont’d
Configuration Management…Cont’d
Configuration Management is responsible for:
Configuration Management is responsible for:
Identifying, Identifying, Controlling, and Controlling, and Tracking Tracking all versions of
all versions of hardware, hardware, software, software, documentation, documentation, 8 processes, processes, and procedures and procedures
under the control of Change Management
under the control of Change Management
These items are referred to as Configurations
These items are referred to as Configurations
Items (CIs) and all changes to them are
Items (CIs) and all changes to them are
recorded and tracked throughout the
recorded and tracked throughout the
component lifecycle
Definitions and Overview
Definitions and Overview
Change & Configuration
Change & Configuration
Management Relationship
Management Relationship
A CI is an aggregation of hardware or software or
A CI is an aggregation of hardware or software or
both that is designated for Configuration
both that is designated for Configuration
Management and treated as a single entity in the
Management and treated as a single entity in the
Configuration Management process (Source:
Configuration Management process (Source:
9
Configuration Management process (Source:
Configuration Management process (Source:
IEEE)
IEEE)
During the assessment of a proposed change, the
During the assessment of a proposed change, the
Configuration Management
Configuration Management
process identifies the
process identifies the
CIs
CIs
affected by the
affected by the
Change
Change
Change Implementation involves update and
Change Implementation involves update and
verification of impacted CIs and documentation
verification of impacted CIs and documentation
IS Change Control/Management
IS Change Control/Management
Terminology
Terminology
Baselines: Baselines are the core of Software
Baselines: Baselines are the core of Software
Change Management (SCM); they provide a stable
Change Management (SCM); they provide a stable
platform to work from
platform to work from
10
The Configuration Items that are identified
The Configuration Items that are identified
determine the baseline (s) associated with the
determine the baseline (s) associated with the
project
project
Change Baseline Scheme Diagram
Change Baseline Scheme Diagram
Design Specification System Requirements Specification Software/System Design Coding Requirements Analysis/Gathering Source Code Testing/Data/Results System Deployed in Production Coding Execution Release
Baseline is a secure specification of the software in
Baseline is a secure specification of the software in
the current state:
the current state:
Changes to the baseline can only be made by following Changes to the baseline can only be made by following
strict change control procedures. The baseline must be strict change control procedures. The baseline must be
d f h i d h d f h i d h
IS Change Control
IS Change Control
Terminology…Baseline
Terminology…Baseline
protected from any unauthorized changes protected from any unauthorized changes
A new baseline is established for each complete set of A new baseline is established for each complete set of
approved system changes approved system changes
Each baseline must include a crossEach baseline must include a cross--reference, or reference, or traceability matrix that maps each design element to traceability matrix that maps each design element to their corresponding software requirements their corresponding software requirements
Change: The addition, modification or removal of
Change: The addition, modification or removal of
anything impacting a regulated system. The scope
anything impacting a regulated system. The scope
should include all IT Services, Configuration
should include all IT Services, Configuration
Items, Process, Documentation, etc.
Items, Process, Documentation, etc.
Change Record: A Record containing the details of
Change Record: A Record containing the details of
IS Change Control
IS Change Control
Terminology…Cont’d
Terminology…Cont’d
13
Change Record: A Record containing the details of
Change Record: A Record containing the details of
a Change.
a Change.
Change Records
Change Records
should reference the
should reference the
Configuration Items
Configuration Items
that are affected by the
that are affected by the
Change
Change
The receipt of a change request initiates the
The receipt of a change request initiates the
lifecycle of a Change Record
lifecycle of a Change Record
Change Control Board (CCB) or Change Advisory
Change Control Board (CCB) or Change Advisory
Board (CAB):
Board (CAB):
An authoritative and representative group of crossAn authoritative and representative group of cross--functional resources people who assist the Change functional resources people who assist the Change Manager in the assessment; prioritization and Manager in the assessment; prioritization and scheduling of changes for all high impact
scheduling of changes for all high impactRequests forRequests for
IS Change Control
IS Change Control
Terminology…Cont’d
Terminology…Cont’d
14
scheduling of changes for all high impact
scheduling of changes for all high impact Requests for Requests for Change
Change((RFCRFCs)s)
They advise They advise Change ManagementChange Managementon the priorities of on the priorities of
RFCs and propose allocations of resources to implement RFCs and propose allocations of resources to implement those
those ChangesChanges
A CAB is an integral part of a defined change A CAB is an integral part of a defined change
management process designed to balance the need for management process designed to balance the need for change with the need to minimize inherent risks change with the need to minimize inherent risks
Determining roles and responsibilities
Determining roles and responsibilities
The 4 Ws: The 4 Ws: whowho whatwhat h nh n
IS Change Control
IS Change Control
Key Resources Responsibility
Key Resources Responsibility
15
when when
and why of change and why of change
Change Manager (CM)
Change Manager (CM)
Reviews RFCs to ensure adherence to the Change Reviews RFCs to ensure adherence to the Change Management Process
Management Process
Provides guidance and training to COs throughout the Provides guidance and training to COs throughout the
h l
h l
IS Change Control Key Resources
IS Change Control Key Resources
Responsibility …Cont’d
Responsibility …Cont’d
16
change control process change control process
Accepts or rejects RFCsAccepts or rejects RFCs
Plans and chairs the CCB/CAB meetingsPlans and chairs the CCB/CAB meetings
Closes RFCs upon successful completion of all change Closes RFCs upon successful completion of all change
related activities related activities
Change Owner (CO)
Change Owner (CO)
Owns the change throughout its lifecycleOwns the change throughout its lifecycle
Assigns, coordinates, and ensures completion of Assigns, coordinates, and ensures completion of assessments and approvals and presents proposed assessments and approvals and presents proposed changes to the CCB/CAB
changes to the CCB/CAB
C i l i d ll b k l
C i l i d ll b k l
IS Change Control Key Resources
IS Change Control Key Resources
Responsibility …Cont’d
Responsibility …Cont’d
17
Creates implementation and roll back plansCreates implementation and roll back plans
Assures that areas affected by the change are notified in Assures that areas affected by the change are notified in advance of the release and verifies successful
advance of the release and verifies successful implementation of the change
implementation of the change
Assures testing is performed and results are Assures testing is performed and results are appropriately documented
appropriately documented
Notifies Change Manager of any unsuccessful changes Notifies Change Manager of any unsuccessful changes
and takes appropriate measures to remediate/resolve and takes appropriate measures to remediate/resolve
Change Requester (CR)
Change Requester (CR)
Collects basic information to initiate the RFC in the Collects basic information to initiate the RFC in the
change control management system change control management system
NOTE:NOTE: Change Requester is the CO in most casesChange Requester is the CO in most cases
IS Change Control Key Resources
IS Change Control Key Resources
Responsibility …Cont’d
Responsibility …Cont’d
18
Business Owner (BO)
Business Owner (BO)
Accountable for providing a business assessment to Accountable for providing a business assessment to
support the change support the change
Ensures that new system/service requirements are Ensures that new system/service requirements are
delivered via the change delivered via the change
Assures the impact assessment is appropriate and fulfills Assures the impact assessment is appropriate and fulfills the business needs
the business needs
System Owner (SO)
System Owner (SO)
Owner of the impacted CI and accountable for Owner of the impacted CI and accountable for providing a technical assessment to support the change providing a technical assessment to support the change
Responsible for ensuring a system is designed to meet Responsible for ensuring a system is designed to meet
h b i i d d
h b i i d d
IS Change Control Key Resources
IS Change Control Key Resources
Responsibility …Cont’d
Responsibility …Cont’d
the business requirements and steady state support the business requirements and steady state support
Assures the impact assessment and the rollback plan are Assures the impact assessment and the rollback plan are
appropriate within the planned schedule appropriate within the planned schedule
Works with all interdependent System Owners, if Works with all interdependent System Owners, if
applicable, of the RFC CI prior to the change applicable, of the RFC CI prior to the change implementation
implementation
Quality Approver (QA)
Quality Approver (QA)
Serves as a CCB/CAB memberServes as a CCB/CAB member
Reviews and approves or rejects RFCsReviews and approves or rejects RFCs
Ensures change content is compliant with the Ensures change content is compliant with the
appropriate regulations and procedures appropriate regulations and procedures
IS Change Control Key Resources
IS Change Control Key Resources
Responsibility …Cont’d
Responsibility …Cont’d
appropriate regulations and procedures appropriate regulations and procedures
Validation Assessor (VA)
Validation Assessor (VA)
Serves as a CCB/CAB memberServes as a CCB/CAB member
Defines validation activities and strategy requiredDefines validation activities and strategy required
Ensures compliance during the change executionEnsures compliance during the change execution
Identifies compliance issues, if applicable, that must be Identifies compliance issues, if applicable, that must be
resolved before the RFC moves to the next change phase resolved before the RFC moves to the next change phase
IS Change Control Type Categories
IS Change Control Type Categories
Critical
Critical
Change
Change
Significant impact on the functionality, including Significant impact on the functionality, including
qualified/validated status of GxP systems qualified/validated status of GxP systems
Highest risk factor/level and impact to critical Highest risk factor/level and impact to critical
business processes and service level business processes and service level
This change category requires extensive planning,This change category requires extensive planning,
21
This change category requires extensive planning, This change category requires extensive planning,
scheduling since it implies cross system impact scheduling since it implies cross system impact
The change requires planned outage outside of The change requires planned outage outside of
schedule maintenance window defined for the schedule maintenance window defined for the system
system
Examples:Examples: Full version upgrade of a GxP Full version upgrade of a GxP
application, involves release of a new GxP application, involves release of a new GxP application
application
IS Change Control Type Categories
IS Change Control Type Categories
…Cont’d
…Cont’d
Medium
Medium
Change
Change
Requires substantial resources to plan, build and Requires substantial resources to plan, build and
implement implement
Medium risk factor/level and minimal impact to Medium risk factor/level and minimal impact to
business processes business processes
The change does not result in significantThe change does not result in significant
22
The change does not result in significant The change does not result in significant
functional modifications functional modifications
Changes do not pose significant impact to the Changes do not pose significant impact to the
validated/qualified status of GxP systems validated/qualified status of GxP systems
IS Change Control Type Categories
IS Change Control Type Categories
…Cont’d
…Cont’d
Minor
Minor
Change
Change
Minor risk factor/level Minor risk factor/level
Planning, scheduling, and activity coordination Planning, scheduling, and activity coordination
takes place within one single functional area takes place within one single functional area
Only impacts a single systemOnly impacts a single system
D i l f ll i d f G P
D i l f ll i d f G P
23
Do not involve a full version upgrade of a GxP Do not involve a full version upgrade of a GxP
application application
Do not involve a new release of a GxP applicationDo not involve a new release of a GxP application
IS Change Control Type Categories
IS Change Control Type Categories
…Cont’d
…Cont’d
Standard
Standard
Change
Change
This change category is governed by a specific This change category is governed by a specific
procedure documented in details for auditing procedure documented in details for auditing purposes
purposes
Changes classified under this change type are part Changes classified under this change type are part of routine/maintenance activities
of routine/maintenance activities
24
//
Change does not affect the functionality or Change does not affect the functionality or
validated/qualified status of GxP systems validated/qualified status of GxP systems
Risk factors are determined based on:
Risk factors are determined based on:
Number of usersNumber of users
Number of system impactedNumber of system impacted
Cross functional/global impactCross functional/global impact
Regulatory statusRegulatory status
IS Change Control Type Categories
IS Change Control Type Categories
…Cont’d
…Cont’d
25 g y g y Business activities supported by the systemBusiness activities supported by the system
Planned downtime required for Planned downtime required for
implementation/deployment in production implementation/deployment in production
Resources required to implementResources required to implement
NOTE:
NOTE: Critical and Medium Changes are required
Critical and Medium Changes are required
to be presented at CCB/CAB meeting. Minor
to be presented at CCB/CAB meeting. Minor
changes are at the discretion of the Change Manager
changes are at the discretion of the Change Manager
Creating a Change Control Process KIM (Keep In
Creating a Change Control Process KIM (Keep In
Mind)
Mind)
Documenting the change request life cycle Documenting the change request life cycle
Establishing and communicating change control Establishing and communicating change control
IS Change Control Phases
IS Change Control Phases
26
procedures procedures
Facilitating change from requirements through Facilitating change from requirements through
maintenance maintenance
IS Change Control Phases …Cont’d
IS Change Control Phases …Cont’d
Initiation
Initiation
Change requester initiates the RFC by recording Change requester initiates the RFC by recordingat a minimum: at a minimum:
A change owner if different from change requesterA change owner if different from change requester
Description of the changeDescription of the change
CIs impacted by this changeCIs impacted by this change
Requested completion dateRequested completion date
The recommended change type categoryThe recommended change type category
Success criteria of the changeSuccess criteria of the change
Roll back planRoll back plan
A unique identifier is assigned to every RFCA unique identifier is assigned to every RFC
IS Change Control Phases …Cont’d
IS Change Control Phases …Cont’d
Review/
Review/
Initial
Initial
Authorization
Authorization
Change Manager reviews the submitted RFC Change Manager reviews the submitted RFC then rejects/accepts the change based on the then rejects/accepts the change based on the completeness of information
completeness of information
If rejected, the Change Manager records the If rejected, the Change Manager records the rejection reason and the RFC status is changed rejection reason and the RFC status is changed to return to the Change Requester
to return to the Change Requestergg qq
If accepted, the CM confirms the change type If accepted, the CM confirms the change type and promotes the RFC to the next level/phase and promotes the RFC to the next level/phase
The SO and BO provide their initial The SO and BO provide their initial authorization to the change record authorization to the change record
For For Standard Standard Changes, the CM promotes the Changes, the CM promotes the RFC and the CO can perform the change record RFC and the CO can perform the change record phases and proceed to closure
IS Change Control Phases …Cont’d
IS Change Control Phases …Cont’d
Assessment/
Assessment/
Development
Development
CO assigns the corresponding appropriate CO assigns the corresponding appropriate resources to each required assessment and resources to each required assessment and initiates the assessment phase
initiates the assessment phase
For For StandardStandardChanges, no regulatory Changes, no regulatory
assessment nor approval by Quality is assessment nor approval by Quality is
29
assessment nor approval by Quality is assessment nor approval by Quality is required
required
Change Assessors complete the following Change Assessors complete the following
assessments (refer to next slide): assessments (refer to next slide):
IS Change Control Phases …Cont’d
IS Change Control Phases …Cont’d
Assessment/
Assessment/
Development
Development
Cont’d
Cont’d
Technical AssessmentTechnical Assessment--SOSO
Change Impact: describe changes required Change Impact: describe changes required to the system design and impact of those to the system design and impact of those changes on other systems
changes on other systems
Resource Analysis: estimate the resources Resource Analysis: estimate the resources needed (Network Developer with specific needed (Network Developer with specific
30 needed (Network, Developer with specific needed (Network, Developer with specific skills, etc.)
skills, etc.)
Document Update Plan: identify key Document Update Plan: identify key change deliverables required but not limited change deliverables required but not limited to:
to:
Code/design review, Code/design review,
Design Specification, Design Specification,
Admin SOP, etc.Admin SOP, etc.
IS Change Control Phases …Cont’d
IS Change Control Phases …Cont’d
Assessment/
Assessment/
Development
Development
Cont’d
Cont’d
Technical AssessmentTechnical Assessment--SOSO--Cont’dCont’d
Proposed solution/design strategy: Specify Proposed solution/design strategy: Specify technical details of the change and how it is technical details of the change and how it is being performed
being performed
Test plan: testing strategy required to test Test plan: testing strategy required to test
h h I l d h i l f h
h h I l d h i l f h
31 the change. Includes the rationale for the the change. Includes the rationale for the proposed testing approach
proposed testing approach
Rollback plan: back out plan description in Rollback plan: back out plan description in case of a system/change failure
case of a system/change failure
Release plan: Implementation schedule, Release plan: Implementation schedule, plan and audience to be notified of change plan and audience to be notified of change release
release
IS Change Control Phases …Cont’d
IS Change Control Phases …Cont’d
Assessment/
Assessment/
Development
Development
Cont’d
Cont’d
Business AssessmentBusiness Assessment--BOBO
Impact of change: describe the changes needed Impact of change: describe the changes needed to support the business process and/or business to support the business process and/or business requirement
requirement
Resource analysis: analyze what resources are Resource analysis: analyze what resources are needed to represent the affected business area (s) needed to represent the affected business area (s)
32
needed to represent the affected business area (s) needed to represent the affected business area (s)
Document update plan: key change deliverables Document update plan: key change deliverables but not limited to: Requirements Specification, but not limited to: Requirements Specification, Operations SOP, Training documents Operations SOP, Training documents
Training Plan: specify timeline for roll out of Training Plan: specify timeline for roll out of
training training
IS Change Control Phases …Cont’d
IS Change Control Phases …Cont’d
Assessment/
Assessment/
Development
Development
Cont’d
Cont’d
Validation AssessmentValidation Assessment--VAVA
Validation Impact summary: Impact to the Validation Impact summary: Impact to the validated state of the system, impact to Validation validated state of the system, impact to Validation docs and SOPs if applicable
docs and SOPs if applicable
Document Update PlanDocument Update Plan
33
Training Plan: Verify if completed via technical Training Plan: Verify if completed via technical or business assessment
or business assessment
Test Strategy: Specify environments that need to Test Strategy: Specify environments that need to be tested and types of testing required. Also be tested and types of testing required. Also provide details about what validation documents provide details about what validation documents and SOPs are required.
and SOPs are required.
IS Change Control Phases …Cont’d
IS Change Control Phases …Cont’d
Assessment/
Assessment/
Development
Development
Cont’d
Cont’d
CO reviews the accuracy of the CO reviews the accuracy of the
assessments and obtains assessments and obtains
approvals/assessments for the change before approvals/assessments for the change before proceeding (Authorization to proceed proceeding (Authorization to proceed requires CM and/or CAB approval) requires CM and/or CAB approval)
SO BO CABSO BO CAB CMCM if selected and Qualityif selected and Quality
34
SO, BO, CABSO, BO, CAB--CMCM--if selected, and Quality if selected, and Quality complete their assessment authorization complete their assessment authorization
The change enters development and is The change enters development and is
completed per the requirements and design completed per the requirements and design changes
changes
Development summary is documented in Development summary is documented in
the change record the change record
Note:
Note: CAB includes: CAB includes:
technical/business/compliance members technical/business/compliance members
IS Change Control Phases …Cont’d
IS Change Control Phases …Cont’d
Test/Approval
Test/Approval
to Implement
to Implement
Record test results in the test summary of Record test results in the test summary of
the change record the change record
Required documentation needs to be Required documentation needs to be
complete prior to proceeding with CAB complete prior to proceeding with CAB approval (i e Test results summary approval (i e Test results summary approval (i.e. Test results summary approval (i.e. Test results summary recorded and documented in the change recorded and documented in the change record)
record)
CM organizes and presents test results at CM organizes and presents test results at
CAB CAB
CAB release approval obtained; then BO, CAB release approval obtained; then BO,
SO, Quality provide their release approval SO, Quality provide their release approval
IS Change Control Phases …Cont’d
IS Change Control Phases …Cont’d
Release/
Release/
Deployment
Deployment
After change is approved for release, CO After change is approved for release, CO
coordinates change deployment in coordinates change deployment in production
production
CO ensures release package is scheduled CO ensures release package is scheduled and activities required for release are and activities required for release are qq complete
complete
IS Change Control Phases …Cont’d
IS Change Control Phases …Cont’d
Closure
Closure
CM reviews the postCM reviews the post--implementation implementation package to ensure the change record is package to ensure the change record is completecomplete
CM closes the change recordCM closes the change record
37
CM closes the change recordCM closes the change record
IS Change Control Assessment
IS Change Control Assessment
Matrix Based on Change Type
Matrix Based on Change Type
Minimum Required Assessments Minimum Required Assessments Change Type
Change Type Technical Technical AssessmentAssessment Business Business AssessmentAssessment Regulatory Regulatory AssessmentAssessment
38
Assessment
Assessment Assessment Assessment AssessmentAssessment
Regulatory Regulatory Critical Critical Medium Medium Required
Required RequiredRequired RequiredRequired Regulatory
Regulatory
Minor
Minor RequiredRequired N/AN/A RequiredRequired Standard
Standard N/AN/A N/AN/A N/AN/A
IS Change Control Process
Summary
Signature Authorization
to proceed
Change control Phases (with Authorizations, Assessments, Tasks, Approvals, and Roles)
Review& Initial Authorization Assessment Validation Assessment Assessment Authorization Development Test/Approval to implement Release Approval Release & deployment Change Type (Regulated) Initiation
Authorizations Tasks Tasks Authorizations Tasks Tasks Approvals Tasks Closure CM Tech-SO Tech-SO Tech-SO Tech-SO Bus-BO Bus-BO Critical Initiate RFC Request- Validation-VA Quality QA Development Summary-CO Test Summary-CO Quality QA Release Verification-CO Close RFC-CM 39 CO
Bus-BO Bus-BO CAB-CM CAB-CM
CO CM CM Tech-SO Tech-SO Tech-SO Tech-SO Bus-BO Bus-BO Medium Initiate RFC Request-CO Bus-BO Bus-BO Validation-VA CAB-CM Quality QA Development Summary-CO Test Summary-CO CAB-CM Quality QA Release Verification-CO Close RFC-CM CM Tech-SO Tech-SO Minor Initiate RFC Request-CO Tech-SO Tech-SO Validation-VA CAB-CM Quality QA Development Summary-CO Test Summary-CO CAB-CM Quality QA Release Verification-CO Close RFC-CM CM Standard Initiate RFC Request-CO Tech-SO
N/A N/A N/A N/A N/A N/A Verification-Release CO
Close RFC-CO
Before implementing any change it is recommended: Before implementing any change it is recommended:
To have an informal review involving target resources to be To have an informal review involving target resources to be
impacted by the change (SO, BO, etc.) impacted by the change (SO, BO, etc.)
Review the impact of the change requested. It is not always Review the impact of the change requested. It is not always
necessary to apply the change (e.g. it may be a “nice necessary to apply the change (e.g. it may be a “nice--to
to--IS Change Control Tips
IS Change Control Tips
40
have” low priority request) have” low priority request)
Perform an analysis and assessment of the technical Perform an analysis and assessment of the technical
proposal of how the requested change will be engineered proposal of how the requested change will be engineered
Review the cost and resource estimates in case further steps Review the cost and resource estimates in case further steps
are required are required BENEFIT:
BENEFIT: Perform the above steps early to identify potential Perform the above steps early to identify potential cost/time savings by incorporating into a subsequent cost/time savings by incorporating into a subsequent release.
Definition: Emergency Changes relate to
Definition: Emergency Changes relate to
immediate resolution of a known production
immediate resolution of a known production
incident where an outage of a system,
incident where an outage of a system,
IS Change Control
IS Change Control
--Emergency/Urgent Changes
Emergency/Urgent Changes
41
application or other service component has
application or other service component has
occurred
occurred
Emergency Changes must be associated
Emergency Changes must be associated
with a high priority incident
with a high priority incident
Emergency Process Description:
Emergency Process Description:
1.1.
The Change Requestor initiates the RFC:
The Change Requestor initiates the RFC:
Unless a delay in action would create a major business Unless a delay in action would create a major business
impact (e.g., potential loss of product, unrestricted impact (e.g., potential loss of product, unrestricted
IS Change Control
IS Change Control
--Emergency/Urgent Changes
Emergency/Urgent Changes
…Cont’d
…Cont’d
42 p ( g , p p , p ( g , p p ,spread of a computer virus) spread of a computer virus)
If an RFC cannot be created, obtain an emergency If an RFC cannot be created, obtain an emergency
change approval from the SO, BO or CAB member change approval from the SO, BO or CAB member before proceeding. This approval can be obtained before proceeding. This approval can be obtained verbally, followed by an email within 24 hours which verbally, followed by an email within 24 hours which will be provided to the Change Manager and attached will be provided to the Change Manager and attached to the to
to the to--be change recordbe change record
Initiate an RFC within 1 business day of performing Initiate an RFC within 1 business day of performing
the emergency remediation the emergency remediation
Emergency Process Description
Emergency Process Description--Cont’d:
Cont’d:
2.2.
The RFC is reviewed by the Change Manager to
The RFC is reviewed by the Change Manager to
ensure the required information has been
ensure the required information has been
d d Th RFC i
i h
d
j
d
d d Th RFC i
i h
d
j
d
IS Change Control
IS Change Control
--Emergency/Urgent Changes
Emergency/Urgent Changes
…Cont’d
…Cont’d
recorded. The RFC is either accepted or rejected
recorded. The RFC is either accepted or rejected
based on the outcome of the review
based on the outcome of the review
3.3.
A change record is created
A change record is created
4.4.
The Change Manager obtains approval/rejection
The Change Manager obtains approval/rejection
from the SO, BO or CAB member. The Change
from the SO, BO or CAB member. The Change
Manager updates the change record per the
Manager updates the change record per the
decision. This approval can be obtained verbally.
decision. This approval can be obtained verbally.
Emergency Process Description
Emergency Process Description--Cont’d:
Cont’d:
5.5.
The Change is deployed. Ensure that
The Change is deployed. Ensure that
documented evidence of the change is
documented evidence of the change is
maintained and attached to the change record
maintained and attached to the change record
IS Change Control
IS Change Control
--Emergency/Urgent Changes
Emergency/Urgent Changes
…Cont’d
…Cont’d
maintained and attached to the change record
maintained and attached to the change record
6.6.
The Change Owner will notify impacted parties
The Change Owner will notify impacted parties
(including Quality for Regulated CIs) within 1
(including Quality for Regulated CIs) within 1
business day of the emergency
business day of the emergency
7.7.
The remaining tasks in the change record must
The remaining tasks in the change record must
be executed within 1 month after the release of
be executed within 1 month after the release of
the change
IS Configuration Management
IS Configuration Management
Terminology
Terminology
Configuration Management Database: A
Configuration Management Database: A
CMDB is a repository of information related
CMDB is a repository of information related
to all the components of an information
to all the components of an information
system
system
45
A CMDB helps an organization understand
A CMDB helps an organization understand
the relationships between the system
the relationships between the system
components by recording configuration
components by recording configuration
items (CI) and details about the important
items (CI) and details about the important
attributes and relationships between CIs
attributes and relationships between CIs
IS Configuration Management
IS Configuration Management
Terminology… Cont’d
Terminology… Cont’d
Configuration Management System (CMS): A set
Configuration Management System (CMS): A set
of tools and databases used to manage
of tools and databases used to manage
configuration data. A CMS is maintained by a
configuration data. A CMS is maintained by a
configuration management process
configuration management process
46
Configuration Item (CI): An object that is treated
Configuration Item (CI): An object that is treated
as a self
as a self--contained unit for the purposes of
contained unit for the purposes of
identification and change control. All
identification and change control. All
configuration items (CIs) are uniquely identified
configuration items (CIs) are uniquely identified
by codes and version numbers
by codes and version numbers
IS Configuration Management
IS Configuration Management
Terminology… Cont’d
Terminology… Cont’d
Configuration Management oversees the lifecycle
Configuration Management oversees the lifecycle
of the CIs through a combination of processes and
of the CIs through a combination of processes and
tools
tools
The objective of these systems is to avoid the
The objective of these systems is to avoid the
47
introduction of errors related to lack of testing or
introduction of errors related to lack of testing or
incompatibilities with other CIs
incompatibilities with other CIs
IS Configuration Management
IS Configuration Management
Terminology… Cont’d
Terminology… Cont’d
From the perspective of the implementer of a
From the perspective of the implementer of a
change, the configuration item is the
change, the configuration item is the
"what"
"what"
of the
of the
change. Altering a specific baseline version of a
change. Altering a specific baseline version of a
configuration item creates a new baseline version
configuration item creates a new baseline version
of the same configuration item
of the same configuration item
48
of the same configuration item
of the same configuration item
In examining the effect of a change, first consider:
In examining the effect of a change, first consider:
What configuration items are affected? and What configuration items are affected? and
How have the configuration items been affected?How have the configuration items been affected?
The above considerations are part of the change
The above considerations are part of the change
management impact analysis
management impact analysis
IS Configuration Management
IS Configuration Management
Terminology… Cont’d
Terminology… Cont’d
1.
1.
Examples of CI attributes/properties/specifications
Examples of CI attributes/properties/specifications
in scope for the CMS include (but not limited to):
in scope for the CMS include (but not limited to):
CI Name: Application/System nameCI Name: Application/System name
CI Classification: CI Classification:
Business Application: collection of components deployed and Business Application: collection of components deployed and
49
pp p p
pp p p
assigned a version number assigned a version number
Business System: group of interdependent applications and other Business System: group of interdependent applications and other
system resources that interact to accomplish specific business system resources that interact to accomplish specific business functions
functions
Business Service: service delivered to business customersBusiness Service: service delivered to business customers
Business Process: a system or procedure that an organization uses Business Process: a system or procedure that an organization uses
to support a business service to support a business service
Infrastructure software and hardwareInfrastructure software and hardware
IS Configuration Management
IS Configuration Management
Terminology… Cont’d
Terminology… Cont’d
2.
2.
Software version number
Software version number
3.3.
Validation, Qualification or N/A
Validation, Qualification or N/A
4.4.
SOPs
SOPs
55
System Owner name
System Owner name
50 5.
5.
System Owner name
System Owner name
6.6.
Business Owner name
Business Owner name
Examples
Examples of CIs
of CIs excluded
excluded from tracking:
from tracking:
laptops/desktops/end user assets (cell phones,
laptops/desktops/end user assets (cell phones,
memory sticks, etc.)
memory sticks, etc.)
CI Owner: = System Owner
CI Owner: = System Owner
Configuration Auditor
Configuration Auditor
Plans and executes audit of configuration dataPlans and executes audit of configuration data
Identifies unauthorized configuration informationIdentifies unauthorized configuration information
IS Configuration Management
IS Configuration Management
Key Resources Responsibility
Key Resources Responsibility
gg
Undertakes audits of configuration informationUndertakes audits of configuration information
Note:
Note: configuration auditor will not audit his/her own
configuration auditor will not audit his/her own
changes
changes
Configuration Librarian:
Configuration Librarian:
Guardian of master copies of CIsGuardian of master copies of CIs
Updates CIs based on “Update CIs” requests Updates CIs based on “Update CIs” requests
submitted by Configuration Requester submitted by Configuration Requester
C CI b d “C CI ” C CI b d “C CI ”
IS Configuration Management
IS Configuration Management
Key Resources
Key Resources
Responsibility…Cont’d
Responsibility…Cont’d
Creates new CIs based on “Create CIs” requests Creates new CIs based on “Create CIs” requests
submitted by Configuration Requester submitted by Configuration Requester
Responsible for accuracy of configuration items and Responsible for accuracy of configuration items and associated attributes
associated attributes
Generates configuration reportsGenerates configuration reports
Accepts and records the receipt of new/revised Accepts and records the receipt of new/revised configurations
Configuration Manager (CM):
Configuration Manager (CM):
Responsible for day to day quality and integrity of Responsible for day to day quality and integrity of
Configuration Management and CM process. Configuration Management and CM process.
Represents the site/functional area for the enterprise Represents the site/functional area for the enterprise configuration management process
configuration management process
IS Configuration Management
IS Configuration Management
Key Resources
Key Resources
Responsibility…Cont’d
Responsibility…Cont’d
53 g g p g g p Facilitates resolution of issues with items not complying Facilitates resolution of issues with items not complying
with the process with the process
Supports the process for ensuring accuracy of CMDB Supports the process for ensuring accuracy of CMDB
entries throughout the lifecycle of the systems tracked as entries throughout the lifecycle of the systems tracked as CIs in the CMDB
CIs in the CMDB
Acts as point of contact for system ownersActs as point of contact for system owners
Performs reviews at defined interval to ensure the logical Performs reviews at defined interval to ensure the logical
depiction in the CMDB reflects the actual physical depiction in the CMDB reflects the actual physical environment
environment
Configuration Requestor:
Configuration Requestor:
Submits change requests for updates to CIs discovered Submits change requests for updates to CIs discovered
during an incident, problem resolution, or change during an incident, problem resolution, or change
IS Configuration Management
IS Configuration Management
Key Resources
Key Resources
Responsibility…Cont’d
Responsibility…Cont’d
54 Submits change requests for creation of new CIsSubmits change requests for creation of new CIs
IS Config. Management Phases
IS Config. Management Phases
The High level tasks of Configuration
The High level tasks of Configuration
Management are:
Management are:
Identification of configuration items to be included in Identification of configuration items to be included in
the CMDB the CMDB
Control of data to ensure that it can only be changed byControl of data to ensure that it can only be changed by
55
Control of data to ensure that it can only be changed by Control of data to ensure that it can only be changed by
authorized individuals authorized individuals
Status maintenance, which involves ensuring that Status maintenance, which involves ensuring that current status of any CI is consistently recorded and current status of any CI is consistently recorded and kept updated
kept updated
Verification, through audits and reviews of the data to Verification, through audits and reviews of the data to
ensure that it is accurate ensure that it is accurate
IS Config Management Phases
IS Config Management Phases
…Cont’d
…Cont’d
Submit
Submit
Config.
Config.
Request
Request
The Configuration Requester submits a request for The Configuration Requester submits a request for
new or updated configuration items or for a service new or updated configuration items or for a service including:
including:
Configuration item (CI) field attributesConfiguration item (CI) field attributes
Configuration model CI types, attributes, or relationshipsConfiguration model CI types, attributes, or relationships
56
g yp , , p
g yp , , p
Reports of status or details on one or more CIsReports of status or details on one or more CIs
The Configuration Librarian verifies the request. The Configuration Librarian verifies the request.
If authorized/appropriate, the Configuration If authorized/appropriate, the Configuration Librarian proceeds. If rejected, communicate the Librarian proceeds. If rejected, communicate the reason of rejection to the Configuration Requester reason of rejection to the Configuration Requester
IS Config. Management Phases
IS Config. Management Phases
…Cont’d
…Cont’d
Report
Report
CIs
CIs
The Configuration Librarian
The Configuration Librarian
Retrieves the required information from the Retrieves the required information from the
Configuration Management System Configuration Management System
Delivers the report to the Configuration Delivers the report to the Configuration
R R
57
Requester Requester
IS Config. Management Phases
IS Config. Management Phases
…Cont’d
…Cont’d
Identify
Identify
CIs
CIs
For new or revised CIs: For new or revised CIs:
The Configuration Librarian identifies CI types The Configuration Librarian identifies CI types
and assesses impact to CMS and assesses impact to CMS
The Configuration Librarian identifies the The Configuration Librarian identifies the
business reason for the Change and submits a business reason for the Change and submits a
58
business reason for the Change and submits a business reason for the Change and submits a Change Request
Change Request
If the change request is approved, the CI type is If the change request is approved, the CI type is created/enabled within the CMS (including attributes and created/enabled within the CMS (including attributes and relationships to be tracked)
relationships to be tracked)
If the change request is rejected the change requestor is If the change request is rejected the change requestor is notified and the change is closed
notified and the change is closed
IS Config. Management Phases
IS Config. Management Phases
…Cont’d
…Cont’d
Control
Control
CIs
CIs
The Configuration Librarian creates new
The Configuration Librarian creates new
CIs, updates CI information or makes a CI
CIs, updates CI information or makes a CI
obsolete based on information provided by
obsolete based on information provided by
the Configuration Requester.
the Configuration Requester.
the Configuration Requester.
the Configuration Requester.
IS Config. Management Phases
IS Config. Management Phases
…Cont’d
…Cont’d
Review
Review
CIs
CIs
The Configuration Manager performs verifications The Configuration Manager performs verifications
that check the existence of CIs and confirm that that check the existence of CIs and confirm that CIs are correctly recorded in the CMS:
CIs are correctly recorded in the CMS:
The Configuration Manager initiates a periodic The Configuration Manager initiates a periodic verification to confirm integrity of the CMS for their verification to confirm integrity of the CMS for their functional area or site
functional area or site
The Configuration Manager summarizes CI variances The Configuration Manager summarizes CI variances (i.e., what is in the CMS vs. what was expected to be in it) (i.e., what is in the CMS vs. what was expected to be in it) in the configuration report
in the configuration report
If Configuration Item errors are discovered, submit a If Configuration Item errors are discovered, submit a change request to have the errors corrected. The change request to have the errors corrected. The Configuration Manager is responsible for any necessary Configuration Manager is responsible for any necessary corrective action