Integrated CSU Administrative Manual

CSU POLICY

Section:   INFORMATION SECURITY POLICY

Section 8000 Policies

Policy Number:   8055.0

Policy Title: Change Control 

Policy Effective Date: April 19, 2010

Last Revision Date:  
(see revision history)

POLICY OBJECTIVE

The CSU Information Security policy provides direction and support for managing changes to CSU information assets and provides guidance for implementing emergency changes to CSU information assets.

POLICY STATEMENT


100 Change Control

Changes to information technology systems, network resources, and applications need to be appropriately managed to minimize the risk of introducing unexpected vulnerabilities and ensure that existing security protections are not adversely impacted. Campuses must establish and document a process to manage changes to campus information assets containing level 1 or level 2 data, as defined in the CSU Data Classification Standard.

Campuses must evaluate the information security impact of changes by taking a risk-based approach to change control.  

Changes to information assets which store protected data will likely require a more rigorous review than changes to non-critical assets and must be made in accordance with a formal, documented change control process.  Changes that may impact the security of these information assets must be identified along with the level of control necessary to manage the change.

Campuses must define and communicate the scope of significant changes to level 1 and level 2 information assets in order to be sure that all affected parties have adequate information to determine if a proposed change is subject to the change management approval process.

 

200 Emergency Changes

Only authorized persons may make an emergency change to campus information assets containing level 1 or level 2 data as defined in the CSU Data Classification Standard.  Emergency changes are defined as changes which, due to urgency or criticality, need to occur outside of the campus’ formal change management process.

Such emergency changes must be appropriately documented and promptly submitted, after the change, to the campus normal change management process.

Benjamin F. Quillian
Executive Vice-Chancellor/Chief Financial Officer

Approved: April 19, 2010

APPLICABILITY AND AREAS OF RESPONSIBILITY

 

REVISION HISTORY

 

RESOURCES AND REFERENCE MATERIALS

Useful Guidelines:

 

Related Principles:

 

Sound Business Practices:

 

Laws, State Codes, Regulations and Mandates:

8055.S01 Change Control Standard

 

COGNIZANT OFFICE(S)

CO Manager:

Mr. William Perry
Chief Information Security Officer
CSU Office of the Chancellor
wperry@calstate.edu

Subject Expert:

Mr. William Perry
Chief Information Security Officer
CSU Office of the Chancellor
wperry@calstate.edu

Affinity Group:

 

Feedback/Questions/Comments