Requirements Analysis/Gathering. System Requirements Specification. Software/System Design. Design Specification. Coding. Source Code.

(1)

Change Control and

Configuration Management

1

II

VT 11

thth

_{Annual conference}

April 2010

Gisele Fahmi, B.Eng., M.A.Sc. Gisele Fahmi, B.Eng., M.A.Sc.

Amgen is not responsible for the written

b l

t t f thi

t ti

b l

t t f thi

t ti

DISCLAIMER

2

or verbal content of this presentation

Agenda

Agenda--Part 1

Part 1

Definitions and OverviewDefinitions and Overview

Change ControlChange Control

Configuration ManagementConfiguration Management

Change & Configuration Management RelationshipChange & Configuration Management Relationship

IS Change Control/ManagementIS Change Control/Management

TerminologyTerminology

Key Resources ResponsibilityKey Resources Responsibility

Type CategoriesType Categories

PhasesPhases

Process SummaryProcess Summary

TipsTips

Emergency/Urgent ChangesEmergency/Urgent Changes

Agenda

Agenda--Part 2

Part 2

IS Configuration ManagementIS Configuration Management

TerminologyTerminology

Key Resources ResponsibilityKey Resources Responsibility

PhasesPhases

Process SummaryProcess Summary

Tool tipsTool tips

SummarySummary

Interactive sessionInteractive session

(2)

Definitions and Overview

Change Control

Change Control/Management is a formal process

used to ensure that:

Changes to a product or system are introduced in a Changes to a product or system are introduced in a controlled and coordinated manner

controlled and coordinated manner

It reduces the possibility that unnecessary changes will It reduces the possibility that unnecessary changes will

b i t d d t t ith t f th ht b i t d d t t ith t f th ht

5

be introduced to a system without forethought, be introduced to a system without forethought, introducing faults into the system or undoing changes introducing faults into the system or undoing changes made by other users of software

made by other users of software

The goals of a change control procedure usually include:The goals of a change control procedure usually include:

Minimal disruption to servicesMinimal disruption to services

Reduction in backReduction in back--out activitiesout activities

CostCost--effective utilization of resources involved in implementing effective utilization of resources involved in implementing change

change

Definitions and Overview

Change Control …Cont’d

Change Management is

A structured approach to transitioning A structured approach to transitioning individualsindividuals, ,

teams

teams, and , and organizationsorganizationsfrom a current state to a from a current state to a desired future state (Source: Wikipedia)

desired future state (Source: Wikipedia)

The process during which the changes of a system are The process during which the changes of a system are

implemented in a controlled manner by following a pre implemented in a controlled manner by following a pre

6

implemented in a controlled manner by following a pre implemented in a controlled manner by following a pre--defined framework/model with, to some extent, defined framework/model with, to some extent, reasonable modifications

reasonable modifications

A systematic approach to proposing, evaluating, A systematic approach to proposing, evaluating, approving, implementing, and reviewing changes approving, implementing, and reviewing changes (Source: ICH Q10)

(Source: ICH Q10)

Definitions and Overview

Configuration Management

Configuration Management (CM) is a field

of management that focuses on

Establishing and maintaining consistency of a

system's performance, its functional/physical

7

system s performance, its functional/physical

attributes with its requirements/design, and

operational information throughout its life

Definitions and Overview

Configuration Management…Cont’d

Configuration Management is responsible for:

Identifying, Identifying, Controlling, and Controlling, and Tracking Tracking all versions of

all versions of hardware, hardware, software, software, documentation, documentation, 8 processes, processes, and procedures and procedures

under the control of Change Management

These items are referred to as Configurations

Items (CIs) and all changes to them are

recorded and tracked throughout the

component lifecycle

(3)

Definitions and Overview

Change & Configuration

Management Relationship

A CI is an aggregation of hardware or software or

both that is designated for Configuration

Management and treated as a single entity in the

Configuration Management process (Source:

9

Configuration Management process (Source:

IEEE)

During the assessment of a proposed change, the

Configuration Management

process identifies the

CIs

affected by the

Change

Change Implementation involves update and

verification of impacted CIs and documentation

IS Change Control/Management

Terminology

Baselines: Baselines are the core of Software

Change Management (SCM); they provide a stable

platform to work from

10

The Configuration Items that are identified

determine the baseline (s) associated with the

project

Change Baseline Scheme Diagram

Design Specification System Requirements Specification Software/System Design Coding Requirements Analysis/Gathering Source Code Testing/Data/Results System Deployed in Production Coding Execution Release

Baseline is a secure specification of the software in

the current state:

Changes to the baseline can only be made by following Changes to the baseline can only be made by following

strict change control procedures. The baseline must be strict change control procedures. The baseline must be

d f h i d h d f h i d h

IS Change Control

Terminology…Baseline

protected from any unauthorized changes protected from any unauthorized changes

A new baseline is established for each complete set of A new baseline is established for each complete set of

approved system changes approved system changes

Each baseline must include a crossEach baseline must include a cross--reference, or reference, or traceability matrix that maps each design element to traceability matrix that maps each design element to their corresponding software requirements their corresponding software requirements

(4)

Change: The addition, modification or removal of

anything impacting a regulated system. The scope

should include all IT Services, Configuration

Items, Process, Documentation, etc.

Change Record: A Record containing the details of

IS Change Control

Terminology…Cont’d

13

Change Record: A Record containing the details of

a Change.

Change Records

should reference the

Configuration Items

that are affected by the

Change

The receipt of a change request initiates the

lifecycle of a Change Record

Change Control Board (CCB) or Change Advisory

Board (CAB):

An authoritative and representative group of crossAn authoritative and representative group of cross--functional resources people who assist the Change functional resources people who assist the Change Manager in the assessment; prioritization and Manager in the assessment; prioritization and scheduling of changes for all high impact

scheduling of changes for all high impactRequests forRequests for

IS Change Control

Terminology…Cont’d

14

scheduling of changes for all high impact

scheduling of changes for all high impact Requests for Requests for Change

Change((RFCRFCs)s)

They advise They advise Change ManagementChange Managementon the priorities of on the priorities of

RFCs and propose allocations of resources to implement RFCs and propose allocations of resources to implement those

those ChangesChanges

A CAB is an integral part of a defined change A CAB is an integral part of a defined change

management process designed to balance the need for management process designed to balance the need for change with the need to minimize inherent risks change with the need to minimize inherent risks

Determining roles and responsibilities

The 4 Ws: The 4 Ws: whowho whatwhat h nh n

IS Change Control

Key Resources Responsibility

15

when when

and why of change and why of change

Change Manager (CM)

Reviews RFCs to ensure adherence to the Change Reviews RFCs to ensure adherence to the Change Management Process

Management Process

Provides guidance and training to COs throughout the Provides guidance and training to COs throughout the

h l

IS Change Control Key Resources

Responsibility …Cont’d

16

change control process change control process

Accepts or rejects RFCsAccepts or rejects RFCs

Plans and chairs the CCB/CAB meetingsPlans and chairs the CCB/CAB meetings

Closes RFCs upon successful completion of all change Closes RFCs upon successful completion of all change

related activities related activities

(5)

Change Owner (CO)

Owns the change throughout its lifecycleOwns the change throughout its lifecycle

Assigns, coordinates, and ensures completion of Assigns, coordinates, and ensures completion of assessments and approvals and presents proposed assessments and approvals and presents proposed changes to the CCB/CAB

changes to the CCB/CAB

C i l i d ll b k l

IS Change Control Key Resources

Responsibility …Cont’d

17

Creates implementation and roll back plansCreates implementation and roll back plans

Assures that areas affected by the change are notified in Assures that areas affected by the change are notified in advance of the release and verifies successful

advance of the release and verifies successful implementation of the change

implementation of the change

Assures testing is performed and results are Assures testing is performed and results are appropriately documented

appropriately documented

Notifies Change Manager of any unsuccessful changes Notifies Change Manager of any unsuccessful changes

and takes appropriate measures to remediate/resolve and takes appropriate measures to remediate/resolve

Change Requester (CR)

Collects basic information to initiate the RFC in the Collects basic information to initiate the RFC in the

change control management system change control management system

NOTE:NOTE: Change Requester is the CO in most casesChange Requester is the CO in most cases

IS Change Control Key Resources

Responsibility …Cont’d

18

Business Owner (BO)

Accountable for providing a business assessment to Accountable for providing a business assessment to

support the change support the change

Ensures that new system/service requirements are Ensures that new system/service requirements are

delivered via the change delivered via the change

Assures the impact assessment is appropriate and fulfills Assures the impact assessment is appropriate and fulfills the business needs

the business needs

System Owner (SO)

Owner of the impacted CI and accountable for Owner of the impacted CI and accountable for providing a technical assessment to support the change providing a technical assessment to support the change

Responsible for ensuring a system is designed to meet Responsible for ensuring a system is designed to meet

h b i i d d

IS Change Control Key Resources

Responsibility …Cont’d

the business requirements and steady state support the business requirements and steady state support

Assures the impact assessment and the rollback plan are Assures the impact assessment and the rollback plan are

appropriate within the planned schedule appropriate within the planned schedule

Works with all interdependent System Owners, if Works with all interdependent System Owners, if

applicable, of the RFC CI prior to the change applicable, of the RFC CI prior to the change implementation

implementation

Quality Approver (QA)

Serves as a CCB/CAB memberServes as a CCB/CAB member

Reviews and approves or rejects RFCsReviews and approves or rejects RFCs

Ensures change content is compliant with the Ensures change content is compliant with the

appropriate regulations and procedures appropriate regulations and procedures

IS Change Control Key Resources

Responsibility …Cont’d

appropriate regulations and procedures appropriate regulations and procedures

Validation Assessor (VA)

Serves as a CCB/CAB memberServes as a CCB/CAB member

Defines validation activities and strategy requiredDefines validation activities and strategy required

Ensures compliance during the change executionEnsures compliance during the change execution

Identifies compliance issues, if applicable, that must be Identifies compliance issues, if applicable, that must be

resolved before the RFC moves to the next change phase resolved before the RFC moves to the next change phase

(6)

IS Change Control Type Categories

Critical

Change

Significant impact on the functionality, including Significant impact on the functionality, including

qualified/validated status of GxP systems qualified/validated status of GxP systems

Highest risk factor/level and impact to critical Highest risk factor/level and impact to critical

business processes and service level business processes and service level

This change category requires extensive planning,This change category requires extensive planning,

21

This change category requires extensive planning, This change category requires extensive planning,

scheduling since it implies cross system impact scheduling since it implies cross system impact

The change requires planned outage outside of The change requires planned outage outside of

schedule maintenance window defined for the schedule maintenance window defined for the system

system

Examples:Examples: Full version upgrade of a GxP Full version upgrade of a GxP

application, involves release of a new GxP application, involves release of a new GxP application

application

IS Change Control Type Categories

…Cont’d

Medium

Change

Requires substantial resources to plan, build and Requires substantial resources to plan, build and

implement implement

Medium risk factor/level and minimal impact to Medium risk factor/level and minimal impact to

business processes business processes

The change does not result in significantThe change does not result in significant

22

The change does not result in significant The change does not result in significant

functional modifications functional modifications

Changes do not pose significant impact to the Changes do not pose significant impact to the

validated/qualified status of GxP systems validated/qualified status of GxP systems

IS Change Control Type Categories

…Cont’d

Minor

Change

Minor risk factor/level Minor risk factor/level

Planning, scheduling, and activity coordination Planning, scheduling, and activity coordination

takes place within one single functional area takes place within one single functional area

Only impacts a single systemOnly impacts a single system

D i l f ll i d f G P

23

Do not involve a full version upgrade of a GxP Do not involve a full version upgrade of a GxP

application application

Do not involve a new release of a GxP applicationDo not involve a new release of a GxP application

IS Change Control Type Categories

…Cont’d

Standard

Change

This change category is governed by a specific This change category is governed by a specific

procedure documented in details for auditing procedure documented in details for auditing purposes

purposes

Changes classified under this change type are part Changes classified under this change type are part of routine/maintenance activities

of routine/maintenance activities

24

//

Change does not affect the functionality or Change does not affect the functionality or

validated/qualified status of GxP systems validated/qualified status of GxP systems

(7)

Risk factors are determined based on:

Number of usersNumber of users

Number of system impactedNumber of system impacted

Cross functional/global impactCross functional/global impact

Regulatory statusRegulatory status

IS Change Control Type Categories

…Cont’d

25 g y g y

Business activities supported by the systemBusiness activities supported by the system

Planned downtime required for Planned downtime required for

implementation/deployment in production implementation/deployment in production

Resources required to implementResources required to implement

NOTE:

NOTE: Critical and Medium Changes are required

Critical and Medium Changes are required

to be presented at CCB/CAB meeting. Minor

changes are at the discretion of the Change Manager

Creating a Change Control Process KIM (Keep In

Mind)

Documenting the change request life cycle Documenting the change request life cycle

Establishing and communicating change control Establishing and communicating change control

IS Change Control Phases

26

procedures procedures

Facilitating change from requirements through Facilitating change from requirements through

maintenance maintenance

IS Change Control Phases …Cont’d

Initiation

Change requester initiates the RFC by recording Change requester initiates the RFC by recording

at a minimum: at a minimum:

A change owner if different from change requesterA change owner if different from change requester

Description of the changeDescription of the change

CIs impacted by this changeCIs impacted by this change

Requested completion dateRequested completion date

The recommended change type categoryThe recommended change type category

Success criteria of the changeSuccess criteria of the change

Roll back planRoll back plan

A unique identifier is assigned to every RFCA unique identifier is assigned to every RFC

IS Change Control Phases …Cont’d

Review/

Initial

Authorization

Change Manager reviews the submitted RFC Change Manager reviews the submitted RFC then rejects/accepts the change based on the then rejects/accepts the change based on the completeness of information

completeness of information

If rejected, the Change Manager records the If rejected, the Change Manager records the rejection reason and the RFC status is changed rejection reason and the RFC status is changed to return to the Change Requester

to return to the Change Requestergg qq

If accepted, the CM confirms the change type If accepted, the CM confirms the change type and promotes the RFC to the next level/phase and promotes the RFC to the next level/phase

The SO and BO provide their initial The SO and BO provide their initial authorization to the change record authorization to the change record

For For Standard Standard Changes, the CM promotes the Changes, the CM promotes the RFC and the CO can perform the change record RFC and the CO can perform the change record phases and proceed to closure

(8)

IS Change Control Phases …Cont’d

Assessment/

Development

CO assigns the corresponding appropriate CO assigns the corresponding appropriate resources to each required assessment and resources to each required assessment and initiates the assessment phase

initiates the assessment phase

For For StandardStandardChanges, no regulatory Changes, no regulatory

assessment nor approval by Quality is assessment nor approval by Quality is

29

assessment nor approval by Quality is assessment nor approval by Quality is required

required

Change Assessors complete the following Change Assessors complete the following

assessments (refer to next slide): assessments (refer to next slide):

IS Change Control Phases …Cont’d

Assessment/

Development

Cont’d

Technical AssessmentTechnical Assessment--SOSO

Change Impact: describe changes required Change Impact: describe changes required to the system design and impact of those to the system design and impact of those changes on other systems

changes on other systems

Resource Analysis: estimate the resources Resource Analysis: estimate the resources needed (Network Developer with specific needed (Network Developer with specific

30 needed (Network, Developer with specific needed (Network, Developer with specific skills, etc.)

skills, etc.)

Document Update Plan: identify key Document Update Plan: identify key change deliverables required but not limited change deliverables required but not limited to:

to:

Code/design review, Code/design review,

Design Specification, Design Specification,

Admin SOP, etc.Admin SOP, etc.

IS Change Control Phases …Cont’d

Assessment/

Development

Cont’d

Technical AssessmentTechnical Assessment--SOSO--Cont’dCont’d

Proposed solution/design strategy: Specify Proposed solution/design strategy: Specify technical details of the change and how it is technical details of the change and how it is being performed

being performed

Test plan: testing strategy required to test Test plan: testing strategy required to test

h h I l d h i l f h

31 the change. Includes the rationale for the the change. Includes the rationale for the proposed testing approach

proposed testing approach

Rollback plan: back out plan description in Rollback plan: back out plan description in case of a system/change failure

case of a system/change failure

Release plan: Implementation schedule, Release plan: Implementation schedule, plan and audience to be notified of change plan and audience to be notified of change release

release

IS Change Control Phases …Cont’d

Assessment/

Development

Cont’d

Business AssessmentBusiness Assessment--BOBO

Impact of change: describe the changes needed Impact of change: describe the changes needed to support the business process and/or business to support the business process and/or business requirement

requirement

Resource analysis: analyze what resources are Resource analysis: analyze what resources are needed to represent the affected business area (s) needed to represent the affected business area (s)

32

needed to represent the affected business area (s) needed to represent the affected business area (s)

Document update plan: key change deliverables Document update plan: key change deliverables but not limited to: Requirements Specification, but not limited to: Requirements Specification, Operations SOP, Training documents Operations SOP, Training documents

Training Plan: specify timeline for roll out of Training Plan: specify timeline for roll out of

training training

(9)

IS Change Control Phases …Cont’d

Assessment/

Development

Cont’d

Validation AssessmentValidation Assessment--VAVA

Validation Impact summary: Impact to the Validation Impact summary: Impact to the validated state of the system, impact to Validation validated state of the system, impact to Validation docs and SOPs if applicable

docs and SOPs if applicable

Document Update PlanDocument Update Plan

33

Training Plan: Verify if completed via technical Training Plan: Verify if completed via technical or business assessment

or business assessment

Test Strategy: Specify environments that need to Test Strategy: Specify environments that need to be tested and types of testing required. Also be tested and types of testing required. Also provide details about what validation documents provide details about what validation documents and SOPs are required.

and SOPs are required.

IS Change Control Phases …Cont’d

Assessment/

Development

Cont’d

CO reviews the accuracy of the CO reviews the accuracy of the

assessments and obtains assessments and obtains

approvals/assessments for the change before approvals/assessments for the change before proceeding (Authorization to proceed proceeding (Authorization to proceed requires CM and/or CAB approval) requires CM and/or CAB approval)

SO BO CABSO BO CAB CMCM if selected and Qualityif selected and Quality

34

SO, BO, CABSO, BO, CAB--CMCM--if selected, and Quality if selected, and Quality complete their assessment authorization complete their assessment authorization

The change enters development and is The change enters development and is

completed per the requirements and design completed per the requirements and design changes

changes

Development summary is documented in Development summary is documented in

the change record the change record

Note:

Note: CAB includes: CAB includes:

technical/business/compliance members technical/business/compliance members

IS Change Control Phases …Cont’d

Test/Approval

to Implement

Record test results in the test summary of Record test results in the test summary of

the change record the change record

Required documentation needs to be Required documentation needs to be

complete prior to proceeding with CAB complete prior to proceeding with CAB approval (i e Test results summary approval (i e Test results summary approval (i.e. Test results summary approval (i.e. Test results summary recorded and documented in the change recorded and documented in the change record)

record)

CM organizes and presents test results at CM organizes and presents test results at

CAB CAB

CAB release approval obtained; then BO, CAB release approval obtained; then BO,

SO, Quality provide their release approval SO, Quality provide their release approval

IS Change Control Phases …Cont’d

Release/

Deployment

After change is approved for release, CO After change is approved for release, CO

coordinates change deployment in coordinates change deployment in production

production

CO ensures release package is scheduled CO ensures release package is scheduled and activities required for release are and activities required for release are qq complete

complete

(10)

IS Change Control Phases …Cont’d

Closure

CM reviews the postCM reviews the post--implementation implementation package to ensure the change record is package to ensure the change record is complete

complete

CM closes the change recordCM closes the change record

37

CM closes the change recordCM closes the change record

IS Change Control Assessment

Matrix Based on Change Type

Minimum Required Assessments Minimum Required Assessments Change Type

Change Type Technical Technical _Assessment_Assessment Business Business _Assessment_Assessment Regulatory Regulatory _Assessment_Assessment

38

Assessment

Assessment Assessment Assessment AssessmentAssessment

Regulatory Regulatory Critical Critical Medium Medium Required

Required RequiredRequired RequiredRequired Regulatory

Regulatory

Minor

Minor RequiredRequired N/AN/A RequiredRequired Standard

Standard N/AN/A N/AN/A N/AN/A

IS Change Control Process

Summary

Signature Authorization

to proceed

Change control Phases (with Authorizations, Assessments, Tasks, Approvals, and Roles)

Review& Initial Authorization Assessment Validation Assessment Assessment Authorization Development Test/Approval to implement Release Approval Release & deployment Change Type (Regulated) Initiation

Authorizations Tasks Tasks Authorizations Tasks Tasks Approvals Tasks Closure CM Tech-_SO Tech-_SO Tech-SO Tech-SO Bus-BO Bus-BO Critical Initiate RFC Request- Validation-VA Quality QA Development Summary-CO Test Summary-CO Quality QA Release Verification-CO Close RFC-CM 39 CO

Bus-BO Bus-BO CAB-_CM CAB-_CM

CO CM CM Tech-_SO Tech-_SO Tech-SO Tech-SO Bus-BO Bus-BO Medium Initiate RFC Request-CO Bus-BO Bus-BO Validation-VA CAB-CM Quality QA Development Summary-CO Test Summary-CO CAB-CM Quality QA Release Verification-CO Close RFC-CM CM Tech-_SO Tech-_SO Minor Initiate RFC Request-CO Tech-SO Tech-SO Validation-_VA CAB-CM Quality QA Development Summary-CO Test Summary-CO CAB-CM Quality QA Release Verification-CO Close RFC-CM CM Standard Initiate RFC Request-CO Tech-SO

N/A N/A N/A N/A N/A N/A Verification-Release CO

Close RFC-CO

Before implementing any change it is recommended: Before implementing any change it is recommended:

To have an informal review involving target resources to be To have an informal review involving target resources to be

impacted by the change (SO, BO, etc.) impacted by the change (SO, BO, etc.)

Review the impact of the change requested. It is not always Review the impact of the change requested. It is not always

necessary to apply the change (e.g. it may be a “nice necessary to apply the change (e.g. it may be a “nice--to

to--IS Change Control Tips

IS Change Control Tips

40

have” low priority request) have” low priority request)

Perform an analysis and assessment of the technical Perform an analysis and assessment of the technical

proposal of how the requested change will be engineered proposal of how the requested change will be engineered

Review the cost and resource estimates in case further steps Review the cost and resource estimates in case further steps

are required are required BENEFIT:

BENEFIT: Perform the above steps early to identify potential Perform the above steps early to identify potential cost/time savings by incorporating into a subsequent cost/time savings by incorporating into a subsequent release.

(11)

Definition: Emergency Changes relate to

immediate resolution of a known production

incident where an outage of a system,

IS Change Control

--Emergency/Urgent Changes

Emergency/Urgent Changes

41

application or other service component has

occurred

Emergency Changes must be associated

with a high priority incident

Emergency Process Description:

1.

The Change Requestor initiates the RFC:

Unless a delay in action would create a major business Unless a delay in action would create a major business

impact (e.g., potential loss of product, unrestricted impact (e.g., potential loss of product, unrestricted

IS Change Control

--Emergency/Urgent Changes

Emergency/Urgent Changes

…Cont’d

42 p ( g , p p , p ( g , p p ,

spread of a computer virus) spread of a computer virus)

If an RFC cannot be created, obtain an emergency If an RFC cannot be created, obtain an emergency

change approval from the SO, BO or CAB member change approval from the SO, BO or CAB member before proceeding. This approval can be obtained before proceeding. This approval can be obtained verbally, followed by an email within 24 hours which verbally, followed by an email within 24 hours which will be provided to the Change Manager and attached will be provided to the Change Manager and attached to the to

to the to--be change recordbe change record

Initiate an RFC within 1 business day of performing Initiate an RFC within 1 business day of performing

the emergency remediation the emergency remediation

Emergency Process Description

Emergency Process Description--Cont’d:

Cont’d:

2.

The RFC is reviewed by the Change Manager to

ensure the required information has been

d d Th RFC i

i h

d

j

d

d d Th RFC i

i h

d

j

d

IS Change Control

--Emergency/Urgent Changes

Emergency/Urgent Changes

…Cont’d

recorded. The RFC is either accepted or rejected

based on the outcome of the review

3.

A change record is created

4.

The Change Manager obtains approval/rejection

from the SO, BO or CAB member. The Change

Manager updates the change record per the

decision. This approval can be obtained verbally.

Emergency Process Description

Emergency Process Description--Cont’d:

Cont’d:

5.

The Change is deployed. Ensure that

documented evidence of the change is

maintained and attached to the change record

IS Change Control

--Emergency/Urgent Changes

Emergency/Urgent Changes

…Cont’d

maintained and attached to the change record

6.

The Change Owner will notify impacted parties

(including Quality for Regulated CIs) within 1

business day of the emergency

7.

The remaining tasks in the change record must

be executed within 1 month after the release of

the change

(12)

IS Configuration Management

Terminology

Configuration Management Database: A

CMDB is a repository of information related

to all the components of an information

system

45

A CMDB helps an organization understand

the relationships between the system

components by recording configuration

items (CI) and details about the important

attributes and relationships between CIs

IS Configuration Management

Terminology… Cont’d

Configuration Management System (CMS): A set

of tools and databases used to manage

configuration data. A CMS is maintained by a

configuration management process

46

Configuration Item (CI): An object that is treated

as a self

as a self--contained unit for the purposes of

contained unit for the purposes of

identification and change control. All

configuration items (CIs) are uniquely identified

by codes and version numbers

IS Configuration Management

Terminology… Cont’d

Configuration Management oversees the lifecycle

of the CIs through a combination of processes and

tools

The objective of these systems is to avoid the

47

introduction of errors related to lack of testing or

incompatibilities with other CIs

IS Configuration Management

Terminology… Cont’d

From the perspective of the implementer of a

change, the configuration item is the

"what"

of the

change. Altering a specific baseline version of a

configuration item creates a new baseline version

of the same configuration item

48

of the same configuration item

In examining the effect of a change, first consider:

What configuration items are affected? and What configuration items are affected? and

How have the configuration items been affected?How have the configuration items been affected?

The above considerations are part of the change

management impact analysis

(13)

IS Configuration Management

Terminology… Cont’d

1.

Examples of CI attributes/properties/specifications

in scope for the CMS include (but not limited to):

CI Name: Application/System nameCI Name: Application/System name

CI Classification: CI Classification:

Business Application: collection of components deployed and Business Application: collection of components deployed and

49

pp p p

assigned a version number assigned a version number

Business System: group of interdependent applications and other Business System: group of interdependent applications and other

system resources that interact to accomplish specific business system resources that interact to accomplish specific business functions

functions

Business Service: service delivered to business customersBusiness Service: service delivered to business customers

Business Process: a system or procedure that an organization uses Business Process: a system or procedure that an organization uses

to support a business service to support a business service

Infrastructure software and hardwareInfrastructure software and hardware

IS Configuration Management

Terminology… Cont’d

2.

Software version number

3.

Validation, Qualification or N/A

4.

SOPs

55

System Owner name

50 5.

5.

System Owner name

6.

Business Owner name

Examples

Examples of CIs

of CIs excluded

excluded from tracking:

from tracking:

laptops/desktops/end user assets (cell phones,

memory sticks, etc.)

CI Owner: = System Owner

Configuration Auditor

Plans and executes audit of configuration dataPlans and executes audit of configuration data

Identifies unauthorized configuration informationIdentifies unauthorized configuration information

IS Configuration Management

Key Resources Responsibility

gg

Undertakes audits of configuration informationUndertakes audits of configuration information

Note:

Note: configuration auditor will not audit his/her own

configuration auditor will not audit his/her own

changes

Configuration Librarian:

Guardian of master copies of CIsGuardian of master copies of CIs

Updates CIs based on “Update CIs” requests Updates CIs based on “Update CIs” requests

submitted by Configuration Requester submitted by Configuration Requester

C CI b d “C CI ” C CI b d “C CI ”

IS Configuration Management

Key Resources

Responsibility…Cont’d

Creates new CIs based on “Create CIs” requests Creates new CIs based on “Create CIs” requests

submitted by Configuration Requester submitted by Configuration Requester

Responsible for accuracy of configuration items and Responsible for accuracy of configuration items and associated attributes

associated attributes

Generates configuration reportsGenerates configuration reports

Accepts and records the receipt of new/revised Accepts and records the receipt of new/revised configurations

(14)

Configuration Manager (CM):

Responsible for day to day quality and integrity of Responsible for day to day quality and integrity of

Configuration Management and CM process. Configuration Management and CM process.

Represents the site/functional area for the enterprise Represents the site/functional area for the enterprise configuration management process

configuration management process

IS Configuration Management

Key Resources

Responsibility…Cont’d

53 g g p g g p

Facilitates resolution of issues with items not complying Facilitates resolution of issues with items not complying

with the process with the process

Supports the process for ensuring accuracy of CMDB Supports the process for ensuring accuracy of CMDB

entries throughout the lifecycle of the systems tracked as entries throughout the lifecycle of the systems tracked as CIs in the CMDB

CIs in the CMDB

Acts as point of contact for system ownersActs as point of contact for system owners

Performs reviews at defined interval to ensure the logical Performs reviews at defined interval to ensure the logical

depiction in the CMDB reflects the actual physical depiction in the CMDB reflects the actual physical environment

environment

Configuration Requestor:

Submits change requests for updates to CIs discovered Submits change requests for updates to CIs discovered

during an incident, problem resolution, or change during an incident, problem resolution, or change

IS Configuration Management

Key Resources

Responsibility…Cont’d

54

Submits change requests for creation of new CIsSubmits change requests for creation of new CIs

IS Config. Management Phases

The High level tasks of Configuration

Management are:

Identification of configuration items to be included in Identification of configuration items to be included in

the CMDB the CMDB

Control of data to ensure that it can only be changed byControl of data to ensure that it can only be changed by

55

Control of data to ensure that it can only be changed by Control of data to ensure that it can only be changed by

authorized individuals authorized individuals

Status maintenance, which involves ensuring that Status maintenance, which involves ensuring that current status of any CI is consistently recorded and current status of any CI is consistently recorded and kept updated

kept updated

Verification, through audits and reviews of the data to Verification, through audits and reviews of the data to

ensure that it is accurate ensure that it is accurate

IS Config Management Phases

…Cont’d

Submit

Config.

Request

The Configuration Requester submits a request for The Configuration Requester submits a request for

new or updated configuration items or for a service new or updated configuration items or for a service including:

including:

Configuration item (CI) field attributesConfiguration item (CI) field attributes

Configuration model CI types, attributes, or relationshipsConfiguration model CI types, attributes, or relationships

56

g yp , , p

Reports of status or details on one or more CIsReports of status or details on one or more CIs

The Configuration Librarian verifies the request. The Configuration Librarian verifies the request.

If authorized/appropriate, the Configuration If authorized/appropriate, the Configuration Librarian proceeds. If rejected, communicate the Librarian proceeds. If rejected, communicate the reason of rejection to the Configuration Requester reason of rejection to the Configuration Requester

(15)

IS Config. Management Phases

…Cont’d

Report

CIs

The Configuration Librarian

Retrieves the required information from the Retrieves the required information from the

Configuration Management System Configuration Management System

Delivers the report to the Configuration Delivers the report to the Configuration

R R

57

Requester Requester

IS Config. Management Phases

…Cont’d

Identify

CIs

For new or revised CIs: For new or revised CIs:

The Configuration Librarian identifies CI types The Configuration Librarian identifies CI types

and assesses impact to CMS and assesses impact to CMS

The Configuration Librarian identifies the The Configuration Librarian identifies the

business reason for the Change and submits a business reason for the Change and submits a

58

business reason for the Change and submits a business reason for the Change and submits a Change Request

Change Request

If the change request is approved, the CI type is If the change request is approved, the CI type is created/enabled within the CMS (including attributes and created/enabled within the CMS (including attributes and relationships to be tracked)

relationships to be tracked)

If the change request is rejected the change requestor is If the change request is rejected the change requestor is notified and the change is closed

notified and the change is closed

IS Config. Management Phases

…Cont’d

Control

CIs

The Configuration Librarian creates new

CIs, updates CI information or makes a CI

obsolete based on information provided by

the Configuration Requester.

IS Config. Management Phases

…Cont’d

Review

CIs

The Configuration Manager performs verifications The Configuration Manager performs verifications

that check the existence of CIs and confirm that that check the existence of CIs and confirm that CIs are correctly recorded in the CMS:

CIs are correctly recorded in the CMS:

The Configuration Manager initiates a periodic The Configuration Manager initiates a periodic verification to confirm integrity of the CMS for their verification to confirm integrity of the CMS for their functional area or site

functional area or site

The Configuration Manager summarizes CI variances The Configuration Manager summarizes CI variances (i.e., what is in the CMS vs. what was expected to be in it) (i.e., what is in the CMS vs. what was expected to be in it) in the configuration report

in the configuration report

If Configuration Item errors are discovered, submit a If Configuration Item errors are discovered, submit a change request to have the errors corrected. The change request to have the errors corrected. The Configuration Manager is responsible for any necessary Configuration Manager is responsible for any necessary corrective action