Ex Libris Change Management Policy
Version 1.3
Purpose and Scope
Ex Libris, part of Clarivate, proactively strives to maintain Ex Libris information and information systems. Reliable and accurate information is a vital business asset and critical to proper decision making at Ex Libris. The purpose of change management is to ensure that the system components used to deliver services are identified, recorded, and monitored so that only authorized changes are applied. Change management includes hardware, software, and associated documentation. This policy is a component of the Ex Libris Cloud security governance framework.
The policy applies to all Ex Libris employees, contractors and vendors who are authorized to access systems, applications, database, network, information and resources managed or maintained by Ex Libris.
Reference Documents
- Ex Libris Cloud Services Group Roles and Responsibilities
- ISO 27001 certification
- NIST SP 800-53 (Rev 4), Security and Privacy Controls for Federal Information Systems and Organizations
Roles and Responsibilities
The following section details Ex Libris roles and responsibilities regarding change management.
1. Senior Management
a. Approves company change management policy, procedures, and enterprise risks.
b. Allocates resources and tools to implement the change management security control requirements.
2. VP Cloud Services
a. Leads the change management activities in the cloud.
3. NOC Manager and Cloud Services P&C Director
a. Manage the lead the CAB and ECAB
b. Approve Changes
4.Chief Information Security Officer (CISO)
a. Ensures that proposed changes are compliant with information security directives.
5. IT and Cloud Management
a. Implements the policy and procedures regarding change management.
6. NOC
a. Ensures that changes made are properly validated and documented prior to release for production.
b. Monitors changes in production to ensure that they are working as intended.
7. System Administrators/Developers
a. Follow procedures for change management.
b. Develop, test, and document changes made.
Terms and Acronyms
Availability: Ensuring timely and reliable access to and use of information.
Confidentiality: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
Security Impact Analysis: The analysis conducted to determine the extent to which changes to the information system have affected the security state of the system.
Change Management Policy
To protect confidentiality, integrity and availability of Ex Libris information and information systems, all changes made to Ex Libris systems will be planned, authorized, tested, reviewed, and approved before implemented.
Change Control
Ex Libris will manage changes to systems and application programs.
All Changes will be recorded and logged.
The change control process includes:
Change Controls
a. Safeguarding production systems. Changes will not be applied directly to systems running in production.
b. Unscheduled changes require the same approval, testing, and review process as planned changes.
c. Enforcement of formal change control procedures.
d. Ensuring that updates addressing significant security vulnerabilities are prioritized, evaluated, tested, documented, approved and applied promptly to minimize the exposure of unpatched resources.
e. Proper authorization and approvals at all levels.
f. Successfully testing of updates and new programs prior to being moved into a production environment.
g. Documenting changes implemented for the information system.
h. Using rollback procedures designed to recover to previous stable version of information systems.
Change Process
i. Determining the types of changes needed.
j. Documenting changes implemented for the information system.
k. Implementing approved changes to the information system.
l. Retaining records of changes to the information system for the life of the system.
m. Auditing and reviewing activities associated with changes to the information system.
n. Coordinating and providing oversight for change activities through a Go/No Go board that convenes before changes occur.
o. Testing, validating, and documenting changes to the information system before implementing the changes on the system.
p. Testing of changes will be performed in a test environment.
q. Using rollback procedures designed to recover to previous stable version of information systems.
Impact analysis
The analysis is conducted to determine the extent to which changes to the information system have affected the security state of the system.
When changes are planned or unplanned, analysis will be done to determine potential security and privacy impact. As a result of the impact analysis, the following will be documented:
a. Impact to the security, confidentiality, and privacy requirements for Ex Libris functions or services.
b. Where appropriate, classification and handling instructions of information stored in the files.
c. Changes to access control mechanisms used in support of critical functions and services.
Emergency Changes
An Urgent or emergency change is a change that requires immediate implementation or cannot await standard/normal changes procedure timelines for any other reason. An urgent change requires that all responses, actions and flow happen immediately following the notification of such a change.
In case of an urgent change the same process for approval, testing and documentation will take place, however it will be done immediately following the notification of such a change.
Change Priority and Classification
All normal changes should be reviewed and approved in the CAB.
Standard changes should be approved in the CAB in case of High/Medium risk/impact.
Change requests should be assigned an Impact and Risk Rating based on the following standards:
- H – Critical/High: A critical priority change request is considered to be imperative to the success of the application functionality or business activity. This type of change request is mandatory and must be completed, as it has a direct and significant impact on revenue and/or operations. Examples of critical change requests are regulatory requirements, functionality to meet core business process requirements, or data integrity with respect to database content.
- M – Medium: A medium priority change request has the potential to impact successful completion of the activity but is neither an immediate help nor hindrance. Examples of medium priority change requests are requests that improve workflow processes.
- L – Low: Low priority change requests need to be addressed if the time and budget permit. Low priority changes requests are managed, as resources are available. Examples of low priority change requests are cosmetic changes or “fixes” that do not affect business functional requirements or deliverables.
Only changes that are classified High Risk and High Impact, or Medium Risk and High Impact, or High Risk and Medium Impact need to be reviewed at the Change Advisory Board meetings prior to implementation of the change. Production data changes involve mass changes to production data outside of the application and normally bypass application controls.
External Audit
Ex Libris Chief Information Security Officer (CISO) will lead internal and external security audits to validate compliance with this policy.
Management Commitment - Policy Compliance
Ex Libris monitors change management controls to ensure compliance with applicable laws, directives, policies, and guidance through periodic quality reviews. The Security Officer reports to Ex Libris management as necessary regarding compliance. Ex Libris will initiate actions as necessary to correct reported deficiencies, including reallocation of resources to improve implementation of security practices.
Failure to comply with this policy may result in disciplinary action, up to and including termination.
Coordination Among Organizational Entities
Ex Libris will identify and coordinate system and information integrity with internal and external organizations. The procedures provide details on the coordination.
Policy Review
This policy will be reviewed at least annually by Management to review its effectiveness and to ensure its continued application and relevance as part of the Ex Libris information security management system (ISMS).
Policy Enforcement
Failure to comply with this policy may result in disciplinary action, up to and including termination of employment.
Record of Changes
|
Type of Information |
Document Data |
|
Document Title: |
Ex Libris Change Management Policy |
|
Document Owner: |
Eddie Lavian - Security Specialist |
|
Approved by: |
Tomer Shemesh - Ex Libris Chief Information Security Officer (CISO) |
|
Issued: |
Apr 28, 2019 |
|
Reviewed & Revised: |
Aug 15, 2022 |
Record of Changes
|
Version |
Nature of Change |
Date Approved |
|
Initial Version |
Apr 28, 2019 |
|
|
Review and update - Tomer S |
Apr 23, 2020 |
|
|
Review and update - Tomer S |
Jun 17, 2021 |
|
|
1.3 |
Review and update - Tomer S |
Aug 15, 2022 |
Document Distribution and Review
The document owner will distribute this document to all approvers when it is first created and as changes or updates are made. This document will be reviewed and updated annually or upon written request by an approver or stakeholder. Questions or feedback about this document can be directed to the owner or a listed approver.