Change Management Policy
Breakout Learning Inc.
Purpose
This policy establishes Breakout Learning Inc.’s processes to manage changes across the organization in a well-communicated, planned, and predictable manner that minimizes unplanned outages and unforeseen system issues.
Roles and Responsibilities
- CTO: Oversees and approves all system changes.
- Policy Manager: Ensures adherence to change management processes and updates the policy as needed.
- IT Security Team: Implements and maintains encryption controls, ensuring changes do not compromise security.
Policy
Breakout Learning Inc. is committed to managing system and application changes in a way that minimizes risk and ensures stability. All changes (e.g., operating system, hardware, networks, applications, data centers) must follow the applicable change management procedures, ensuring proper planning, approval, testing, and communication.
Procedures
The change management process aims to introduce any change into production while following correct procedures, maintaining documentation, performing thorough testing, and obtaining proper approval.
Organizational Change Control
The following procedures apply to all changes, including infrastructure, code, and networking changes:
- A record of agreed authorization levels will be maintained.
- Only authorized users can submit changes.
- Security controls and integrity procedures will be reviewed to ensure they are not compromised by changes.
- All impacted software, databases, hardware, and other assets will be identified.
- Security-critical code will be identified and checked to minimize the likelihood of security weaknesses.
- Formal approval must be obtained before changes are made.
- Changes must be implemented at times that are least intrusive to business processes.
- Vendor-supplied software will be used without modification unless necessary, in which case the following will be considered:
- Risk to built-in controls and integrity processes.
- Vendor consent and whether modifications can be obtained as standard updates.
- Compatibility with other software.
Technical Review and Platform Changes
A technical review of applications will be conducted after changes to operating platforms, covering:
- Application control and integrity procedures.
- Notification of platform changes in advance to allow for testing and review.
- Necessary updates to business continuity plans.
Change Types
Planned Changes
For planned changes, Breakout Learning Inc. will:
- Plan implementation with assigned tasks, deadlines, and resources.
- Implement changes according to the plan.
- Monitor the implementation to confirm adherence to the plan.
Unplanned Changes
For unintended changes, Breakout Learning Inc. will:
- Review the consequences of the changes.
- Evaluate any adverse effects.
- Implement actions to mitigate adverse effects.
Emergency Changes
For critical issues (e.g., newly discovered vulnerabilities), an expedited emergency process will be conducted with prioritized approvals.
Software Development and Testing
For software development and system changes:
- Extensive testing covering usability, security, and potential effects on other systems must be conducted.
- Tests will take place in a test environment, with all related program source libraries updated accordingly.
- Only trained administrators with proper authorization can update operational systems.
- All systems will use configuration control to manage software and system documentation.
- Rollback strategies must be in place for all changes.
- An audit log will be maintained for all updates to operational program libraries.
Supplier Services
Changes to supplier services are managed under the Vendor Management Policy, ensuring compliance with Breakout Learning Inc.’s standards.
Configuration Management
Changes to production systems and networks must adhere to the following:
- All production changes are approved by the CTO.
- Terraform is used to standardize and automate configuration management.
- No systems are deployed into Breakout Learning Inc. environments without approval.
- All changes must undergo testing before being moved to production.
- Tooling is used to generate an up-to-date inventory of systems hosted on GCP.
- Frontend and backend systems are segregated across different servers or containers.
- Software and systems undergo unit and end-to-end tests before production deployment.
- All code must be reviewed via pull requests in GitHub to ensure quality and security.
Change Tracking and Monitoring
- All changes are tracked in Breakout Learning Inc.’s ticketing system (Notion) using unique ticket numbers.
- Shared identities (if necessary) must be approved and documented.
- All systems are synchronized to a single time source across the network.
- Virtual network configurations must align with physical network configurations and security policies.
Change Security Measures
Change security measures include:
- Branch protection rules in GitHub.
- Security team review for significant changes.
- Only authorized personnel with escalated privileges may deploy changes to production.
- Post-deployment QA testing ensures changes function as intended.
Configuration Control
The Change Control Board (CCB) oversees the approval of all change requests. Its responsibilities include:
- Reviewing change requests that may significantly impact the system.
- Ensuring that changes comply with business, technical, and security requirements.
- Conducting an ROI analysis for designated changes.
Training
All personnel involved in change management must receive training on:
- Role, responsibility, and authority in the change management process.
- Change management standards and procedures.
- Use of change management tools.
Appendix A: Configuration Management Plan (Template)
General Information
- Purpose: Define the scope of the Configuration Management Plan as it relates to Breakout Learning Inc.
- System Overview: Provide a general description of the system architecture and functionality.
Configuration Control
- Change Control Board (CCB): Define the roles and responsibilities of the CCB.
- Configuration Items: List all software, hardware, data, and network components under configuration control.
Baseline Identification
- Functional Baseline: Define the requirements and data characteristics for system development.
- Design Baseline: Outline system design and allocation of requirements.
- Development Baseline: Detail the generation of computer programs and databases.
- Product Baseline: Established during system evaluation, incorporating changes after testing.
Revision History
Version |
Date |
Editor |
Approver |
Description of Changes |
1.1 |
2024/10/01 |
Nikita Rogatnev |
Joshua Oster-Morris |
Standardized role titles across all relevant policies, replacing previous variations |
1.0 |
2024/01/01 |
Joshua Oster-Morris |
Jake Shepherd |
Initial version |