Quickly exit this site by pressing the Escape key Leave this site
We use some essential cookies to make our website work. We’d like to set additional cookies so we can remember your preferences and understand how you use our site.
You can manage your preferences and cookie settings at any time by clicking on “Customise Cookies” below. For more information on how we use cookies, please see our Cookies notice.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Sorry, there was a technical problem. Please try again.
This site is a beta, which means it's a work in progress and we'll be adding more to it over the next few weeks. Your feedback helps us make things better, so please let us know what you think.
The ICT Change Management policy and guide establish the principles and working practices that are to be adopted when a change is required to the operating environment or standard operating procedures of any system or service that has the potential to affect the stability and reliability of infrastructure or to disrupt the business.
It is the responsibility of the ICT Department to manage the lifecycle of all the systems supporting Dyfed-Powys Police business and technical objectives. As such, all the processes and procedures relating to change control and management are set out in this policy and the associated ‘ICT Change Management Guide’.
Dyfed-Powys Police recognises that there are risks associated with carrying out changes and that the lifecycle of all systems within Dyfed-Powys Police must be managed to ensure full confidentiality, integrity, and availability of both systems and data to meet business and technical objectives.
Applies (but not limited) to: All categories of Dyfed-Powys Police Officers and staff, whether full-time, part-time, permanent, fixed term, temporary (including agency staff, associates and contractors), seconded staff and volunteers. Police Officers, Staff and Volunteers accessing and using Force assets and property must have due regard to the contents of this policy.
This policy must be adhered to at all times, specifically in relation to a change to the operating environment or standard operating procedures of any system or service that has the potential to affect the stability and reliability of infrastructure or to disrupt the business.
Changes may be required for many reasons, including, but not limited to:
A failure to maintain a change policy and a standardised guide to meet this policy would leave the Force at risk in a number of areas. This policy aims to mitigate the following risks:
The ICT Management team collectively undertake the role of ‘Change Manager’, respective to the discipline associated to the change, however only one manager approves the change (for audit purposes). The ICT Management team, and other stakeholders where relevant, form the Change Advisory Board, where requests for change are reviewed and decided upon.
Types of changes are defined in the below categories:
Emergency Change
Unscheduled outages (server crashes, etc.) which may require immediate attention whenever they happen. The Change Request process still needs to be followed, but can be carried out retrospectively.
Examples of this type are:
Urgent Change
An urgent change can be requested in circumstances where something needs to be implemented quickly. The change control process needs to be followed, however depending on the urgency and in exceptional circumstances it is possible for one of the ICT Management Team to approve the change immediately and not wait for the Change Advisory Board. In ‘normal’ circumstances the ICT Manager that is alerted to the urgent request can contact the other ICT Managers for comment prior to approval (or otherwise). These types of changes must always have a back out plan or mitigating action plan attached, without which requests will not be considered.
Examples of this type are:
Routine Changes:
Routine Changes are considered relatively low risk, are performed frequently, and follow a documented (Change Management approved) process. However, they should not be carried out on a Friday as part of the ICT department’s low appetite for risk.
There is an option for the change submitter to apply a “same change” option on creating the initial request – monthly updates/patches would fall under this category and effectively become ‘pre-approved’ for the next update. The same change would not need to go through the Change Advisory Board process for the next iteration, however, if the process changes, then it would have to be resubmitted taking into consideration those changes.
These are changes that are low risk to the business as the procedures are known and well tested and documented.
Examples of this type are:
This policy is fit for purpose in that it meets organisation requirements and is compliant with control measures as recommended under the ‘Protect’ function of the National Institute of Standards and Technology (NIST) Cybersecurity Framework, specifically ‘PR.IP-3: Configuration Change Control Processes are in place’, and with recommendations provided by the National Cyber Security Centre (NCSC) relating to change management.
The Force complies with the following legislation and all other legislation as appropriate, including, but not limited to:
Related policies, standards, procedures, practices, including, but not limited to:
Policy Owner: The policy is owned by the Head of ICT who is responsible for regularly monitoring the policy for its effectiveness, challenges to the policy, any changes to NIST and NCSC guidance, and any inefficiencies in relation to the implementation of this policy.
Approval Process: Approval of decisions regarding the implementation of the policy is made by the Information Assurance Board.
The ICT Change Management Guide: This guide identifies the procedures and processes in relation to ICT change control.
The procedures and processes identified within the ICT Change Management Guide are applicable to all police officers and police staff who are involved in any aspects of ICT change within Dyfed-Powys Police. Referral to supervisors and managers for advice and guidance must be sought where deemed appropriate.
Key roles and responsibilities:
Senior ICT Operational Management |
Change Management |
ICT Staff |
Submitting change requests, enacting approved requests |
The Code of Ethics principles are relevant to this policy.
The ICT Department monitors and implements change in ICT systems; when carrying out this work any contravening changes which highlight any failure in the processes and procedures outlined in the ICT Change Management Guide will be identified and addressed.
Any significant failures within the procedures contained within the ICT Change Management Guide are referred for consideration to ICT Management.
Guidance and recommendations from relevant organisations, including NIST and NCSC, is always considered with regards to amending and updating this policy.
This policy is reviewed annually.
This policy has been drafted in accordance with the Code of Ethics and has been reviewed on the basis of its content and the supporting evidence and it is deemed compliant with that Code and the principles underpinning it.
This policy has been drafted in accordance with the Human Rights Act and has been reviewed on the basis of its content and the supporting evidence and it is deemed compliant with that Act and the principles underpinning it.
Section 4 of the Equality Act 2010 sets out the protected characteristics that qualify for protection under the Act as follows: Age; Disability; Gender Reassignment; Marriage and Civil Partnership; Pregnancy and Maternity; Race; Religion or Belief; Sex; Sexual Orientation.
The public sector equality duty places a proactive legal requirement on public bodies to have regard, in the exercise of their functions, to the need to:
The equality duty applies to all protected characteristics with the exception of Marriage and Civil Partnership, to which only the duty to have regard to the need to eliminate discrimination applies.
Carrying out an equality impact assessment involves systematically assessing the likely or actual effects of policies on people in respect of all the protected characteristics set out above. An equality impact assessment should be carried out on any policy that is relevant to the public sector equality duty.
EQUALITY IMPACT ASSESSMENT COMPLETED: January 2024