DHHS POLICIES AND PROCEDURES
______________________________________________________________________________________________________________
Section X:
|
Information Technology
|
Title:
|
Enterprise Services Access Point (ESAP) Change Management
|
Current Effective Date:
|
7/1/09
|
Revision History:
|
|
Original Effective Date:
|
7/1/09
|
______________________________________________________________________________________________________________
Purpose
To ensure that the North Carolina (NC) Department of Health and Human Services (DHHS) Divisions and Offices adhere to a change management process.
Policy
In large organizations such as DHHS, it is necessary to make Information Technology (IT) infrastructure changes to address security or operational issues. Managing change to systems through a well-engineered and standardized change management process allows for the streamlined maintenance of IT resources, while limiting incidents related to change and improving day-to-day operations.
Implementation
- Enterprise Services Access Point (ESAP) Change Management
All change requests related to DHHS ESAP architecture and design are required to follow the procedure established within subsection 2. Procedure below, to ensure the mitigation of associated risks and minimize disruption to business critical services.
- ESAP design changes include:
- Addition or removal of ESAP point of ingress or egress1
- Enterprise ESAP architectural changes
- Changes involving addition, removal or modification to Virtual Routing Forwarding (VRF)
- Procedure
Initial requests for DHHS ESAP design changes must be submitted in writing to the NC DHHS Information Technology Governance Committee (ITGC), which is recognized as the executive authority for planning, approving, prioritizing, and directing of NC DHHS IT initiatives. The initial submission should:
- Clearly identify the requested change
- State the justification for the change
- List any known impacts of leaving the ESAP environment as-is compared with incorporating the suggested change
- Identify cost associated with the requested change
- Assign a division/office point of contact (POC) for the requested change submission
Upon receipt the ITGC will review the request and either accept or reject the initial submission. Should the submission be rejected the ITGC will inform the requestor and file the rejection.
If the ITGC accepts the submission, the request will be submitted to the NC DHHS Enterprise Services Access Point Configuration Control Board (ECCB) for technical review.
The ECCB shall have up to five (5) business days to conduct an initial review and determine if further technical review is required. Once the initial determination has been made, the ECCB shall inform the requesting POC of the time frame for review, should an extension be required.
Upon the completion of the review process the ECCB shall provide a formal written report of its findings to the ITGC to aid in their review and approval process.
Once the ITGC has received the ECCB’s report, they shall make a final decision and inform the requesting POC of the committee’s acceptation or rejection of requested ESAP change.
Rejected requests for DHHS ESAP design changes may be resubmitted to the ITGC by the division or office unless explicitly denied by the ITGC.
- Divisions/Offices/Facilities/Schools Change Management
Each division/office/facility/school shall manage changes to its systems and application programs to protect the systems and programs from failure as well as security breaches.
Divisions/offices/facilities/schools shall develop adequate change management processes that follow the requirements and guidelines of the DHHS Information Security Change Management Standard.
Enforcement
The DHHS Privacy and Security Officer shall be the point of contact for issues or questions regarding the ongoing implementation of this policy. However, it is the responsibility of division/office/facility/school management to ensure compliance with the provisions of this policy. Deficiencies and or violations of this policy may subject a division/office/facility/school management to corrective actions deemed appropriate by the DHHS management.
1 DHHS ESAP firewall rule changes are outside the scope of this document.
