PURPOSE:
This IT Change Management Policy establishes the framework, standards, and procedures for managing IT changes to Idaho College of Osteopathic Medicine (ICOM) information systems, infrastructure, applications, and related services. The purpose of this policy is to ensure that changes are implemented in a controlled, secure, and systematic manner to minimize potential risks, disruptions, and negative impacts on the confidentiality, integrity, and availability of ICOM's information assets and services. Effective change management is critical for maintaining system stability, supporting security controls, ensuring regulatory compliance, and facilitating efficient IT operations.
SCOPE:
This policy applies to all proposed changes that could impact ICOM's information technology environment. This includes, but is not limited to:
- Changes to servers, workstations, and mobile devices (hardware and software).
- Changes to network infrastructure (routers, switches, firewalls, wireless access points).
- Changes to operating systems and system software.
- Changes to applications (including institutionally managed applications and SaaS configurations).
- Changes to databases and data structures.
- Changes to security configurations and controls.
- Changes to IT services and service delivery processes.
- Changes to cloud service configurations and integrations.
This policy applies to all individuals and departments initiating, approving, or implementing changes within the scope defined above, including ICOM faculty, staff, administrators, contractors, and third-party vendors acting on behalf of ICOM.
DEFINITIONS:
- Change: An addition, modification, or removal of anything that could have an effect on IT services or the IT infrastructure.
- Change Management: The process of controlling the lifecycle of all changes, enabling beneficial changes to be made with minimum disruption to IT services.
- Change Request (CR): A formal proposal for a change to an IT service or infrastructure component.
- Change Initiator: The individual or group proposing a change.
- Change Approver: The individual(s) or group authorized to approve a change based on its risk and impact.
- Change Advisory Board (CAB): A group of individuals who advise the Change Manager on the assessment, prioritization, and scheduling of changes. Typically involved in reviewing higher-risk changes. ICOM designates the Data & Technology Executive Council to also function as the CAB.
- Rollback Plan: A documented plan to revert a change to its previous state if the implementation is unsuccessful or causes unexpected issues.
- Emergency Change: A change that must be implemented as soon as possible, usually to resolve a major incident or implement a critical security patch.
POLICY:
- Requirement for Change Management Process: All changes within the scope of this policy must follow the defined Change Management process as defined in the IT Change Type Matrix.
- Change Documentation: Proposed changes should be formally documented (according to the IT Change Management Plan) using the designated Change Request process and system. Documentation must include the nature of the change, reason, impact assessment, rollback plan, and testing results.
- Risk Assessment: All changes must be assessed for potential risks to ICOM's information assets, systems, and operations. The level of risk will determine the required level of approval and testing.
- Change Approval: Changes must be reviewed and approved by authorized personnel based on the assessed risk and impact. Significant or high-risk changes may require review and approval by the Change Advisory Board (CAB).
- Change Testing: Changes must be adequately tested in a non-production environment (when available) before implementation in the production environment to ensure they function as expected and do not introduce adverse effects.
- Rollback Planning: A documented rollback plan must be developed for all non-standard changes to allow for a return to the previous state if the change is unsuccessful or causes unforeseen problems.
- Communication: Relevant stakeholders must be informed of planned changes, their potential impact, and implementation schedules. Communication should occur before, during, and after the change as appropriate.
- Emergency Changes: A defined process for handling emergency changes must be in place to address critical issues requiring immediate action. Emergency changes are still subject to documentation and review as soon as practically possible.
- Roles and Responsibilities: Roles and responsibilities for initiating, documenting, assessing, approving, implementing, and reviewing changes must be clearly defined and assigned.
- Change Review: Implemented changes should be reviewed to confirm successful implementation and assess whether the change achieved its intended outcome without causing unintended issues.
COMPLIANCE:
Violations of this policy may result in disciplinary action, up to and including termination of employment, contract, or affiliation with ICOM, and may also result in legal action.
POLICY REVIEW AND UPDATES:
This Change Management Policy will be reviewed and updated at least annually, or as needed to reflect changes in technology, organizational structure, risk assessments, business needs, or best practices in change management and information security. The Chief Information Officer is responsible for coordinating policy reviews and updates, in consultation with the IT Department and relevant stakeholders.
PRIMARY POLICY OWNER:
Chief Information Officer
APPROVAL:
Effective: 7/8/25
Last Reviewed: 7/8/25
Review Requirement: Annual