Information Technology Services Change Control Procedures Effective Date: 02/2005; 02/2007 Reviewed Dates: January 10, 2013

Change Control Procedures

Basis for Procedure UNMC Policy/Procedure Link 6051 Computer Use and Electronic Information Security Policy 1. Purpose Change control is a necessary element of stability and quality assurance in a computer environment. All changes to information systems (hardware and software) should follow a change management process. This includes developing, testing, deploying, and maintaining systems and services, as well as all forms of change which impact the physical location, configuration and administration of assets associated with the computing environment. This procedure does not extend to management of personal desktops or personal file space. 2. PROCEDURE: 1. It is the responsibility of the information custodian/system administrator to protect the hardware and software from unauthorized changes. 2. It is the responsibility of the information custodian/system administrator to assess the risk of implementing a change. The risk assessment should include the risk of impacting the confidentiality, integrity or availability of the systems. 3. The information custodian/system administrator is responsible for developing a change control process which includes as appropriate: Requesting changes Approval of the changes with the appropriate supervisor/administrator. Coordinating the changes with other departments that might be impacted or with ITS when directly involved in the change. Testing of the change Implementation and scheduling of the change with proper notification to users and management Documentation of the change (to be maintained by the information custodian/system administrator) Final report (log the change) A back out process has been established to execute if the change fails

4. It is the responsibility of the information custodian/system administrator to ensure that the change control process takes into account the need for emergency changes. 5. Changes which impact the Clinical Enterprise shall follow The Nebraska Medical Center Change Control Policy Procedures (SYS 020: Change Control) 3. Authorities and Administration 3.1. System Administrators/Information Custodians 3.2. Assistant Vice Chancellor, Information Technology Services 3.3. Information Security Officer

Page 1 of 1 Z:\HIPAA\Policy and Procedure Implementation\UNMC HIPAA-related P&P\Change Control\Change Control_Jan2013_ks.docx