Ex Libris Change Management Policy
Version 1.0
Purpose and Scope
Ex Libris, a ProQuest company, proactively strives to maintain Ex Libris information and information systems. Reliable and accurate information is a vital business asset and critical to proper decision making at Ex Libris. The purpose of change management is to ensure that the system components used to deliver services are identified, recorded, and monitored so that only authorized changes are applied. Change management includes hardware, software, and associated documentation. This policy is a component of the Ex Libris Cloud security governance framework.
The policy applies to all Ex Libris employees, contractors and vendors who are authorized to access systems, applications, database, network, information and resources managed or maintained by Ex Libris.
Reference and Documents
· Ex Libris Cloud Services Group Roles and Responsibilities Version 1.9., dated November 13, 2017
· NIST SP 800-53 (Rev 4), Security and Privacy Controls for Federal Information Systems and Organizations
Roles and Responsibilities
The following section details Ex Libris roles and responsibilities regarding change management.
Senior Management
a. Approves company change management policy, procedures and enterprise risks.
b. Allocates resources and tools to implement the change management security control requirements.
VP Cloud Operations
a. Leads the change management activities.
Chief Information Security Officer (CISO)
a. Ensures that proposed changes are compliant with information security directives.
IT/MIS Management and Cloud Management
a. Implements the policy and procedures regarding change management.
HUB
a. Ensures that changes made are properly validated and documented before released for production.
b. Monitors changes in production to ensure that they are working as intended.
System Administrators/Developers
a. Follow procedures for change management.
b. Develop, test, and document changes made.
Terms and Acronyms
- Availability: Ensuring timely and reliable access to and use of information.
- Confidentiality: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
- Security Impact Analysis: The analysis conducted to determine the extent to which changes to the information system have affected the security state of the system.
Change Management Policy
To protect confidential, integrity and availability of Ex Libris information and information systems, all changes made to Ex Libris systems will be planned, authorized, tested, reviewed, and approved before implemented.
Change Control
Ex Libris will manage changes to systems and application programs. The change control process includes:
a. Safeguarding production systems. Changes will not be applied directly to systems running in production.
b. Unscheduled changes require the same approval, testing, and review process as planned changes.
c. Enforcement of formal change control procedures.
d. Proper authorization and approvals at all levels.
e. Successfully testing of updates and new programs prior to being moved into a production environment.
f. Determining the types of changes needed.
g. Documenting changes implemented for the information system.
h. Implementing approved changes to the information system.
i. Retaining records of changes to the information system for the life of the system.
j. Auditing and reviewing activities associated with changes to the information system.
k. Coordinating and providing oversight for change activities through a Go/No Go board that convenes before changes occur.
l. Testing, validating, and documenting changes to the information system before implementing the changes on the system
m. Ensuring that updates addressing significant security vulnerabilities are prioritized, evaluated, tested, documented, approved and applied promptly to minimize the exposure of un-patched resources.
n. Using rollback procedures designed to recover to previous stable version of information systems.
Impact analysis
When changes are planned or unplanned, analysis will be done to determine potential security and privacy impact. As a result of the impact analysis, the following will be documented:
a. Impact to the security, confidentiality, and privacy requirements for Ex Libris functions or services.
b. Where appropriate, classification and handling instructions of information stored in the files.
c. Changes to access control mechanisms used in support of critical functions and services.
External Audit
Ex Libris Chief Information Security Officer (CISO) will lead internal and external security audits to validate compliance with this policy.
Management Commitment - Policy Compliance
Ex Libris monitors change management controls to ensure compliance with applicable laws, directives, policies, and guidance through periodic quality reviews. The Security Officer reports to Ex Libris management as necessary regarding compliance. Ex Libris will initiate actions as necessary to correct reported deficiencies, including reallocation of resources to improve implementation of security practices.
Failure to comply with this policy may result in disciplinary action, up to and including termination.
Coordination Among Organizational Entities
Ex Libris will identify and coordinate system and information integrity with internal and external organizations. The procedures provide details on the coordination.
Policy Review
This policy will be reviewed at least annually by Management to review its effectiveness and to ensure its continued application and relevance as part of the Ex Libris information security management system (ISMS).
Policy Enforcement
Failure to comply with this policy may result in disciplinary action, up to and including termination of employment.
Record of Changes
Type of Information |
Document Data |
Document Title: |
Configuration Management Policy |
Document Owner: |
Tomer Shemesh - Ex Libris Chief Information Security Officer (CISO) |
Approved by: |
Eyal Alkalay - Ex Libris Sr. Director of Cloud Engineering |
Issued: |
Apr 28, 2019 |
Reviewed & Revised: |
Apr 28, 2019 |
Record of Changes
Version |
Nature of Change |
Date Approved |
1.0 |
Initial Version |
Apr 28, 2019 |
Document Distribution and Review
The document owner will distribute this document to all approvers when it is first created and as changes or updates are made. This document will be reviewed and updated annually or upon written request by an approver or stakeholder. Questions or feedback about this document can be directed to the owner or a listed approver.