The ICT Change Management policy and guide establish the principles and working practices that are to be adopted when a change is required to the operating environment or standard operating procedures of any system or service that has the potential to affect the stability and reliability of infrastructure or to disrupt the business.
It is the responsibility of the ICT Department to manage the lifecycle of all the systems supporting Dyfed-Powys Police business and technical objectives. As such, all the processes and procedures relating to change control and management are set out in this policy and the associated ‘ICT Change Management Guide’.
Dyfed-Powys Police recognises that there are risks associated with carrying out changes and that the lifecycle of all systems within Dyfed-Powys Police must be managed to ensure full confidentiality, integrity, and availability of both systems and data to meet business and technical objectives.
Applies (but not limited) to: All categories of Dyfed-Powys Police employees, whether full-time, part-time, permanent, fixed term, temporary (including agency staff, associates and contractors) or seconded staff. Any employee accessing and using Force assets and property must have due regard to the contents of this policy.
2. Policy Scope
This policy must be adhered to at all times, specifically in relation to a change to the operating environment or standard operating procedures of any system or service that has the potential to affect the stability and reliability of infrastructure or to disrupt the business.
Changes may be required for many reasons, including, but not limited to:
Vendor recommended/required changes
Changes in regulations
Hardware or software upgrades
Hardware or software failures
Changes or modifications to the infrastructure
Environmental changes (electrical, air conditioning, data centre, etc)
A failure to maintain a change policy and a standardised guide to meet this policy would leave the Force at risk in a number of areas. This policy aims to mitigate the following risks:
Inability/limitations on tracing changes back to originator following an incident
Inability to proactively plan and manage changes
Potential for negative impact on the business
Potential to affect operational policing
Lack of oversight on changes
The ICT Management team collectively undertake the role of ‘Change Manager’, respective to the discipline associated to the change, however only one manager approves the change (for audit purposes). The ICT Management team, and other stakeholders where relevant, form the Change Advisory Board, where requests for change are reviewed and decided upon.
Types of changes are defined in the below categories:
Unscheduled outages (server crashes, etc.) which may require immediate attention whenever they happen. The Change Request process still needs to be followed, but can be carried out retrospectively.
Examples of this type are:
A department or physical site is without service
A severe degradation of service requiring immediate action
A system/application/component failure causing a negative impact on business operations
A response to a natural disaster
A response to an emergency business need
An urgent change can be requested in circumstances where something needs to be implemented quickly. The change control process needs to be followed, however depending on the urgency and in exceptional circumstances it is possible for one of the ICT Management Team to approve the change immediately and not wait for the Change Advisory Board. In ‘normal’ circumstances the ICT Manager that is alerted to the urgent request can contact the other ICT Managers for comment prior to approval (or otherwise). These types of changes must always have a back out plan or mitigating action plan attached, without which requests will not be considered.
Examples of this type are:
Change that results in a business or operational practice change
Change that results in an interruption to a service, or has a significant risk of an interruption to service
Changes in any system that affect disaster recovery or business continuity
Introduction or discontinuance of a service
Routine Changes are considered relatively low risk, are performed frequently, and follow a documented (Change Management approved) process. However, they should not be carried out on a Friday as part of the ICT department’s low appetite for risk.
There is an option for the change submitter to apply a “same change” option on creating the initial request – monthly updates/patches would fall under this category and effectively become ‘pre-approved’ for the next update. The same change would not need to go through the Change Advisory Board process for the next iteration, however, if the process changes, then it would have to be resubmitted taking into consideration those changes.
These are changes that are low risk to the business as the procedures are known and well tested and documented.
Examples of this type are:
Regularly scheduled maintenance
Operating system patches (service packs etc.)
3. Powers and Policy/Legal Requirements
This policy is fit for purpose in that it meets organisation requirements and is compliant with control measures as recommended under the ‘Protect’ function of the National Institute of Standards and Technology (NIST) Cybersecurity Framework, specifically ‘PR.IP-3: Configuration Change Control Processes are in place’, and with recommendations provided by the National Cyber Security Centre (NCSC) relating to change management.
The Force complies with the following legislation and all other legislation as appropriate, including, but not limited to:
Computer Misuse Act 1990
Data Protection Act 2018
UK General Data Protection Regulation
Related policies, standards, procedures, practices, including, but not limited to:
Dyfed-Powys Police ICT Change Management Guide
Dyfed-Powys Police Information Security Policy and Associated Standards
Dyfed-Powys Police Data Protection Policy
4. Options and Contingencies
Policy Owner: The policy is owned by the Head of ICT who is responsible for regularly monitoring the policy for its effectiveness, challenges to the policy, any changes to NIST and NCSC guidance, and any inefficiencies in relation to the implementation of this policy.
Approval Process: Approval of decisions regarding the implementation of the policy is made by the Information Assurance Board.
The ICT Change Management Guide: This guide identifies the procedures and processes in relation to ICT change control.
The procedures and processes identified within the ICT Change Management Guide are applicable to all police officers and police staff who are involved in any aspects of ICT change within Dyfed-Powys Police. Referral to supervisors and managers for advice and guidance must be sought where deemed appropriate.
The following Code of Ethics principles are relevant to this policy:
Accountability - We are answerable for our decisions, actions and omissions.
Fairness - We treat people fairly.
Honesty - We are truthful and trustworthy.
Integrity - We always do the right thing.
Leadership - We lead by good example.
Objectivity - We make choices based on evidence and our best professional judgement.
Openness - We are open and transparent in our actions and decisions.
Respect - We treat everyone with respect.
Selflessness - We act in the public interest.
5. Take action and review
The ICT Department monitors and implements change in ICT systems; when carrying out this work any contravening changes which highlight any failure in the processes and procedures outlined in the ICT Change Management Guide will be identified and addressed.
Any significant failures within the procedures contained within the ICT Change Management Guide are referred for consideration to ICT Management.
Guidance and recommendations from relevant organisations, including NIST and NCSC, is always considered with regards to amending and updating this policy.
CODE OF ETHICS CERTIFICATE OF COMPLIANCE
This policy has been drafted in accordance with the Code of Ethics and has been reviewed on the basis of its content and the supporting evidence and it is deemed compliant with that Code and the principles underpinning it.
HUMAN RIGHTS ACT CERTIFICATE OF COMPLIANCE
This policy has been drafted in accordance with the Human Rights Act and has been reviewed on the basis of its content and the supporting evidence and it is deemed compliant with that Act and the principles underpinning it.
EQUALITY IMPACT ASSESSMENT
Section 4 of the Equality Act 2010 sets out the protected characteristics that qualify for protection under the Act as follows: Age; Disability; Gender Reassignment; Marriage and Civil Partnership; Pregnancy and Maternity; Race; Religion or Belief; Sex; Sexual Orientation.
The public sector equalityduty places a proactive legal requirement on public bodies to have regard, in the exercise of their functions, to the need to:
eliminate discrimination, harassment, victimisation, and any other conduct that is unlawful under the Act;
advance equality of opportunity between persons who share a relevant protected characteristic and persons who do not share it;
foster good relations between persons who share a relevant protected characteristic and persons who do not share it.
The equality duty applies to all protected characteristics with the exception of Marriage and Civil Partnership, to which only the duty to have regard to the need to eliminate discrimination applies.
Carrying out an equality impact assessment involves systematically assessing the likely or actual effects of policies on people in respect of all the protected characteristics set out above. An equality impact assessment should be carried out on any policy that is relevant to the public sector equality duty.