Title here
Summary here
Change Management Policy
1. Purpose
The purpose of this document is to manage the risk posed by changes in the company and to inform all DefectDojo employees and external parties with access to DefectDojo equipment, systems, or networks (DefectDojo Staff) of their obligations with regards to the change management of all systems, networks, IT assets, and licensed software, owned, operated, or used by DefectDojo.
2. Scope
Change management as applied to information security, including the confidentiality, integrity, and availability of company-owned, processed, stored, and transmitted information.
3. Compliance
3.1 Compliance Measurement
The Information Security Management team will verify compliance to this document through various methods, including but not limited to business tool reports, internal and external audits, and feedback to the document owner.
3.2 Exceptions
Any exception to the policy must be reviewed and approved in advance by the Management Review Team.
3.3 Non-Compliance
Any DefectDojo Staff found to have violated this document may be subject to disciplinary action, up to and including termination of employment.
3.4 Continual Improvement
This document is updated and reviewed as part of the continual improvement process.
4. Requirements
4.1 Request for Change
Change requests are made via the company change platform and process.
4.2 Change Request Approval
Changes are approved by departmental managers and/or the senior management team before implementation.
4.3 Change Register
A register of changes is maintained.
4.4 Change Prioritization / Classification
All change requests are prioritized in terms of benefit, urgency, the effort required, and potential impact on company operations.
4.5 Change Risk Assessment
Changes are assessed for risk following the Risk Management Policy and Risk Management Procedure.
4.6 Change Impact Assessment
Changes are assessed for positive and negative impacts to customers and DefectDojo.
4.7 Testing
Changes are tested in an isolated, controlled, and representative environment, where feasible, before implementation to minimize the risks to company processes, operations, security, and clients.
4.8 Version Control
Software changes and updates are controlled with version control. Older versions are retained in accordance with retention and storage processes.
4.9 Communicating Change
All users or user representatives impacted by a change are notified of the change.
4.10 Rollback
Procedures to roll back or recover from an unsuccessful change are in place, where appropriate.
4.11 Change Freeze
At certain critical times of the year, it may be necessary to impose a non-essential change freeze period. A change freeze may be approved by senior management, during which time only the highest priority changes will be approved and implemented.
4.12 Emergency Change
Emergency changes may operate outside the normal change process, but must be approved by senior management. In some cases, events are critical enough that they must be rushed through, creating an Emergency/Unscheduled Change. Each situation is different, and as much consideration as possible should be given to the potential consequences of attempting this type of change. It is still necessary to obtain sufficient approval for the change, which may be done by discussing the matter with a relevant service manager or section head and logging who it was concerned with and how it was approved.
4.13 Unauthorized Changes
Unauthorized changes are tracked and reported to the Management Review Team meeting and escalated to senior management as required. Unauthorized changes are subject to the Continual Improvement process.
5. Relevant Documents
- N/A