Change Management Policy
Download PDF
Controlled copy — valid on date of download only
Internal Use
Change Management Policy
Dispel
Document Control
| Item | Details |
|---|---|
| Version | 1.0 |
| Cadence | Annual |
| Policy Owner | Chief Technology Officer |
| Approved By | Chief Executive Officer |
| DCF References | DCF-4, DCF-5, DCF-6, DCF-7, DCF-10, DCF-11, DCF-12, DCF-13, DCF-18, DCF-19, DCF-20, DCF-21, DCF-22, DCF-23, DCF-24, DCF-25, DCF-26, DCF-27, DCF-31, DCF-32, DCF-35, DCF-36, DCF-38, DCF-39, DCF-40, DCF-41, DCF-42, DCF-43, DCF-44, DCF-47, DCF-48, DCF-49, DCF-55, DCF-56, DCF-57, DCF-58, DCF-60, DCF-72, DCF-73, DCF-74, DCF-75, DCF-76, DCF-77, DCF-78, DCF-79, DCF-80, DCF-81, DCF-82, DCF-96, DCF-99, DCF-100, DCF-134 |
1. PURPOSE AND SCOPE
1.1 Purpose
The purpose of this policy is to define how Dispel plans, approves, implements, and reviews changes to systems and services in a controlled manner that minimizes unplanned outages and security risks.
1.2 Scope
This policy applies to:
- All changes to Dispel-managed production systems, applications, infrastructure, and networks.
- Changes to configurations, code, infrastructure-as-code, and supporting services that may impact confidentiality, integrity, availability, or compliance.
- All Covered Persons involved in requesting, approving, implementing, or reviewing changes.
1.3 Regulatory and Framework Alignment
| # | Framework / Standard | Relevant Control IDs | Alignment Notes |
|---|---|---|---|
| 1 | SOC 2 | CC2.1, CC2.3, CC8.1 | Change control, system operations, and change management over production environments. |
| 2 | ISO/IEC 27001 | A.8.32, A.8.33 | Change management and test data controls for information systems. |
| 3 | NIST SP 800-53 | CM-1, CM-3, CM-4, CM-5 | Configuration and change management policy, change control, impact analysis, and access restrictions for change. |
| 4 | IEC 62443 | 62443-3-3.SR7.6 | Managing change and configuration for industrial systems. |
| 5 | HIPAA | 164.308(a)(1) | Risk management for changes that may affect ePHI systems. |
2. POLICY STATEMENTS
2.1 Management Commitment
Management Commitment Statement
Senior Management at Dispel is dedicated to the protection of our information assets, industrial control systems, and Protected Health Information (PHI). We assume full accountability for the effectiveness of our security program, ensuring it is integrated into all business processes and aligned with our strategic goals. To maintain compliance with ISO 27001, IEC 62443, HIPAA, and NIST 800-53, we formally commit to:
- Resource Provisioning: Providing the necessary financial, technical, and human resources to sustain a robust security posture.
- Risk-Based Governance: Approving security policies and overseeing a continuous risk management process that prioritizes both data privacy and operational safety.
- Operational Resilience: Supporting the security of industrial automation and control systems (IACS) to ensure safety and reliability.
- Continuous Oversight: Conducting regular management reviews to evaluate program performance, audit results, and opportunities for improvement.
2.2 Primary Policy Statement
Dispel SHALL ensure that all in-scope changes are planned, reviewed, approved, tested (where appropriate), and documented prior to implementation.
2.3 Secondary Policy Statement
- Emergency changes SHALL follow an expedited but documented process and be reviewed after implementation.
- Changes SHALL include rollback plans and clear responsibilities.
3. REQUIREMENTS
3.1 Change Management Governance
Objective: Establish governance over change management.
Mandatory Activities:
- The Policy Owner SHALL own this policy and associated procedures and ensure they are reviewed at least annually.
- Change management roles and authorization levels SHALL be defined and documented.
- This policy and procedures SHALL be disseminated to Covered Persons; review, acceptance, and acknowledgement SHALL be required initially and at least annually.
Required Outputs:
- Current change management policy and procedures.
- Records of acknowledgements for relevant roles.
Security Controls: NIST SP 800-53 CM-1.
3.2 Standard Change Process
Objective: Define the process for planned changes.
Mandatory Activities:
- For planned changes, Dispel SHALL:
- Record the change in an approved change tracking system with a unique identifier.
- Specify scope, implementation steps, testing requirements, and rollback plan.
- Obtain required approvals prior to implementation.
- Changes SHALL be scheduled at times that minimize business impact.
- Changes SHALL be implemented only by authorized personnel.
- Post-implementation validation SHALL confirm that the change had the intended effect and did not introduce unexpected issues.
Required Outputs:
- Change records including approvals, test evidence, and rollback plans.
Security Controls: NIST SP 800-53 CM-3, CM-4.
3.3 Emergency and Unplanned Changes
Objective: Control emergency and unplanned changes.
Mandatory Activities:
- Emergency changes (e.g., critical vulnerability fixes) MAY follow an expedited approval process but SHALL still be documented.
- Post-implementation reviews SHALL:
- Confirm whether the change was effective.
- Identify any follow-up actions or improvements to the process.
- Unplanned or unintended changes SHALL be investigated, with corrective actions and documentation as needed.
Required Outputs:
- Emergency change records and post-implementation review notes.
Security Controls: NIST SP 800-53 CM-3, CM-4.
3.4 Software and Configuration Changes
Objective: Ensure software and configuration changes are controlled and traceable.
Mandatory Activities:
- Production systems SHALL only contain approved, tested code and configurations.
- Version control systems SHALL be used to manage source code and configuration-as-code.
- Access to change production configurations and code SHALL be restricted to authorized personnel and protected with strong authentication.
- Changes to production SHALL be deployed via controlled pipelines, with peer review and testing appropriate to the risk.
Required Outputs:
- Version control history and change logs.
- Records of code reviews and test results.
Security Controls: NIST SP 800-53 CM-5.
4. ROLES AND RESPONSIBILITIES
4.1 Policy Owner
Responsibilities:
- Owns this Change Management Policy.
- Ensures alignment with configuration management and SDLC processes.
- Coordinates periodic reviews and updates.
4.2 Change Advisory / Review Function
Responsibilities:
- Review high-impact or high-risk changes.
- Confirm that risk, testing, and rollback considerations are addressed.
- Recommend approval, rejection, or deferral.
4.3 System Owners / Administrators
Responsibilities:
- Initiate and implement changes in accordance with this policy.
- Ensure testing and validation are completed.
- Maintain system documentation and change records.
5. PROCEDURES
5.1 Change Management Lifecycle (High-Level)
| Step | Action | Responsible Party | Timeframe |
|---|---|---|---|
| 1 | Submit change request with description, scope, risk, test, and rollback details. | Requestor, System Owner | Prior to change window |
| 2 | Review and approve change based on impact and risk. | Policy Owner, Change Review Function | Before implementation |
| 3 | Implement change according to plan and record outcomes. | System Owner / Administrator | During change window |
| 4 | Validate change and update documentation and configuration records. | System Owner / Administrator | Immediately after change |
| 5 | Review completed changes and lessons learned as needed. | Policy Owner, Change Review Function | Periodically |
6. MONITORING AND COMPLIANCE
6.1 Compliance Monitoring
Compliance with this policy SHALL be monitored through:
- Reviews of change records and approvals.
- Audits of production configurations against baselines.
- Reviews of incidents related to failed or unauthorized changes.
6.2 Metrics and Reporting
The following metrics SHALL be tracked and reported at least annually to the Policy Owner and senior management:
| Metric | Frequency | Owner |
|---|---|---|
| Number of changes implemented vs. failed or rolled back | Quarterly | Policy Owner |
| Number of emergency changes and post-implementation reviews completed | Quarterly | Policy Owner |
| Number of unauthorized or unplanned changes detected | Annual | Security Officer |
6.3 Non-Compliance Consequences
Failure to comply with this policy and procedures may result in:
- Increased risk of outages or security incidents.
- Revocation or restriction of access for Covered Persons who repeatedly fail to follow change procedures.
- Disciplinary action for employees and contractors, consistent with Dispel HR policies and applicable law.
7. EXCEPTIONS AND WAIVERS
7.1 Exception Process
Exceptions to this policy SHALL:
- Be submitted in writing by the requesting party.
- Identify the specific policy or procedural requirements for which an exception is sought.
- Include justification and business impact.
- Describe compensating controls or mitigation measures.
- Define exception duration and remediation plan.
7.2 Exception Approval Authority
| Risk Level | Approval Authority |
|---|---|
| Low | Policy Owner |
| Medium | Policy Owner and Security Officer |
| High | Policy Owner, Security Officer, and Senior Management representative |
| Critical | Senior Management representative in consultation with Policy Owner and Security Officer |
8. DEFINITIONS
Change: Any addition, modification, or removal of hardware, software, or configuration that could impact services.
Emergency Change: A change that must be implemented as soon as possible to resolve a critical issue or vulnerability.
9. REFERENCES
9.1 Internal References
- System Configuration Management Policy and Procedures.
- Software Development Life Cycle / System Development Lifecycle documents.
- Incident Response Policy and Procedures.
9.2 External References
- NIST SP 800-53, CM family.
- ISO/IEC 27001 and related guidance on change and configuration management.
10. DOCUMENT HISTORY
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.1 | Predates version control | Ethan Schmertzler | Aligned Change Management Policy to POLICY_TEMPLATE and updated control mappings. |
| 1.0 | Predates version control | Ethan Schmertzler | Initial Change Management Policy. |
11. APPROVAL SIGNATURES
| Role | Name | Signature | Date |
|---|---|---|---|
| Policy Owner | |||
| Security Officer | |||
| Senior Management Representative |
APPENDICES
Appendix A: Supporting Change Management Procedures
This appendix may include:
- Detailed change request templates.
- Example approval workflows.
- Checklists for code, configuration, and infrastructure changes.
Appendix B: Additional Guidance and Examples
This appendix may include:
- Example change scenarios and lessons learned.
- References to industry best practices for change management.