THE OHIO STATE UNIVERSITY COLLEGE OF OPTOMETRY … · 3 Introduction The following document...
Transcript of THE OHIO STATE UNIVERSITY COLLEGE OF OPTOMETRY … · 3 Introduction The following document...
THE OHIO STATE UNIVERSITY COLLEGE OF OPTOMETRY
Computing Policies & Procedures
Proposed: 10 December, 2000
Updated: 05 March 2009
Last Modified: 11 May 2009
Original Approved: 06 June 2002
Version Approved: 23 April 2009
The Ohio State University College of Optometry
2
Table of Contents
Introduction .................................................................................................................................................. 3
Optometry General Computing Policy .......................................................................................................... 4
Optometry Service and Support Policy ......................................................................................................... 8
Major Systems Acquisition, Development & Maintenance ........................................................................ 12
Policy on Protected Information ................................................................................................................. 15
What is protected information? .............................................................................................................. 15
Handling protected information. ............................................................................................................ 15
What happens if protected information is exposed? .............................................................................. 16
What is the university’s policy on protected information? ..................................................................... 17
College of Optometry Password Policy ....................................................................................................... 18
College of Optometry Information Technology Change Management Policy for Critical Systems ............ 19
3
Introduction
The following document outlines policies concerning the use of computing resources in the College of
Optometry (known as ‘the College’) at The Ohio State University. The definition of computing resources
shall include any account, computer, peripheral, network or server provided or supported by the College
of Optometry Information Technology Department (known as ‘IT’). Use of these computing resources
includes the use of data/programs stored on IT computing systems, data/programs stored on magnetic
tape, floppy disk, CD-ROM or other storage media that is maintained or supported by IT. The “user” of
the system is any person using the computing resources of the College of Optometry. The purpose of
these policies is to provide an efficient, productive computing environment for all users of College
computing resources. We endeavor to provide an environment where users will find it easy to use these
resources in an effective, ethical and lawful manner.
Users are reminded that College of Optometry computing resources are owned by The Ohio State
University and are to be used only for the purpose for which they are authorized by this policy and are
not to be used for unauthorized activities. Users are hereby reminded that unauthorized use of a
College computing resource is a violation of College and University policies and may also be a violation
of state and federal law. Users are further reminded that the laws and policies mentioned above are
outside the scope of this document as they are too numerous to list; ALL College users are hereby
notified that it is the user’s sole responsibility to be knowledgeable of these laws and policies. Also,
please be advised that explanations of the policies are outside of the scope of this document, and one
should contact Information Technology or the Office of the CIO for any explanations and/or
clarifications.
The computing resources outlined in these policies include both public and protected resources.
Protected College resources include all those that store restricted or sensitive data, including patient
data and are governed by state and federal law. Public College resources are resources that contain
data which is accessible to the public. A stricter standard shall govern the use of protected College
resources. A separate College policy, as well as a University policy define and govern the access and use
of restricted data.
We hope that these policies help to enlist all Optometry users’ assistance in helping to make our
computing environment productive, reliable and secure.
All policies contained herein and updates to these policies are posted on the transfer drive (T:\) here:
T:\COLLEGE DOCUMENTS\POLICIES\Computing
Please check the policy for updates regularly.
4
Optometry General Computing Policy
The following outlines the College of Optometry’s Acceptable Use Policy regarding the use of College
computing resources.
By using and/or accessing College resources, all users of said computing resources agree to abide by
College of Optometry policies, University policies, local laws, state laws, and federal laws. The specific
University policies that users will be held to can be found on the CIO’s web site. Users are reminded to
check the CIO’s web site regularly for changes. http://cio.osu.edu.
1. As the College of Optometry computing resources store public, sensitive and restricted data, sensitive
and restricted data may not, at any time, be stored on resources that are not authorized to hold such
information.
2. Users are responsible for protecting the data to which they have access via their user account.
3. Users are required to report any weakness in computer resource security, any incidents of possible
misuse or violation of this agreement to the proper authorities by contacting the Director of Information
Technology.
4. Users shall not attempt to access any data or programs contained in College computing resources for
which they do not have authorization by the data owner or the Information Technology Department.
5. Users shall not share their College computing account(s) with anyone. This includes sharing the
password to the account, allowing another user to use your account after logging in, or any other means
of sharing.
6. Users shall not make unauthorized copies of copyrighted software, except as permitted by law or by
the copyright owner.
7. Users shall not install unapproved or non-supported software on any College system without
consultation with Information Technology. This will help to keep all College systems as stable as
possible and keep downtime to a minimum.
8. Users shall not attempt to disable or circumvent anti-virus or security programs present within any
College computing resource.
9. Users shall not make copies of system configuration files (e.g. registry, logon scripts, etc.) for their
own, unauthorized personal use or to provide to other people/users for unauthorized uses.
5
10. Users shall not purposely engage in activity with the intent to: harass other users, degrade the
performance of computing resources, deprive any authorized user access to a resource, obtain extra
resources beyond those allocated, circumvent Information Technology security measures or gain access
to an Optometry resource for which proper authorization has not been given.
11. Personal use of College computing resources is permitted when it does not consume a significant
amount of those resources, does not negatively impact the user’s job performance and other University
responsibilities, and is in compliance with all applicable laws and policies.
12. Electronic communication facilities (e.g., e-mail, news, web sites) are for authorized College users
only. Fraudulent, harassing or obscene messages and/or materials shall not be sent from, to, or stored
on College computing resources.
13. Users shall not download, install or run security programs or utilities that reveal weaknesses in the
security of any computing resource. For example, users shall not run password cracking programs or
port scanners on any College computing resource.
14. Users not directly employed by Information Technology to College computing resources shall at no
time have access to any systems or applications that allow the management of security on College
computing resources.
15. Users shall be required to have a password that meets length and strength requirements (see
password policy).
16. New users shall be assigned temporary passwords and will be required to change this password at
first logon. The security system shall remember the previous 5 passwords to ensure that the user does
not re-use them.
17. Users must change their passwords at least every 180 days. The security system shall remember the
previous 5 passwords to ensure that the user does not re-use them.
18. Users shall not purchase or utilize any computing hardware that is not supported by Information
Technology without adequate business justification and written approval from the Director of IT. This
includes peripherals such as USB memory/drives and other peripherals.
19. Users are encouraged not to forward any unsolicited e-mail, in whole or in part, to other users
within the College. For example, virus warnings, news stories, advertisements, OSUToday, University-
wide mailings, etc.
6
20. Users shall contact Information Technology in order to send any bulk e-mail announcement to any
part of the University community (e.g. OSUToday announcements, bulk mailings to students, etc.). Users
shall not send any such announcement or mailing that has not been approved by the Director of
Information Technology and College administration. Users who wish to send out research-related
mailings are also advised that such mailings may need to be approved by the University’s Office of
Research.
21. Users wishing to send such bulk e-mail shall make sure the message they wish to send does not
exceed approximately 600 characters. Any message that needs to convey more information will need to
have a web page set up to communicate this information to the intended audience.
22. Users requiring support or service shall follow the procedures outlined in the Service and Support
section of this document.
23. As all data contained on College computing systems is owned by the College and The Ohio State
University, backup services shall be provided by IT to all College users. All College-owned data shall be
placed on the user’s U: drive as data contained on this drive is backed up nightly by Information
Technology.
24. All users shall receive a College e-mail address and will utilize Microsoft Outlook when sending e-
mail in the College. Any user utilizing College email shall have their OIT forwarding set to their College
email account. The Director of Information Technology must approve any exceptions to this policy. Each
exception shall be reviewed on a yearly basis.
25. The College’s computing resources shall be solely maintained by Information Technology. The only
exception to this rule concerns direct vendor support for hardware and/or outside support for
application development. There shall be no exceptions made for consultants, students, or employees
not hired by or under the direct supervision of Information Technology. All consultants hired to provide
such support shall require approval by Information Technology.
26. Fulfilling the mission of the College requires reasonable access by users to computing resources.
Security is based on the principle of least privilege. The Director of IT will determine access privileges for
network services. The default status will be 'user.' Once granted, status should not be changed without
reasonable prior notice to the user unless there is clear evidence that such action is needed to prevent
imminent damage to College computing resources.
7
Any non-compliance with these requirements could have a very detrimental effect on College
computing resources. We ask that all users adhere to these policies to the best of their abilities to assist
Information Technology and your fellow users in maintaining a secure, efficient and productive
computing environment. This, in turn, will allow Information Technology to perform their duties to the
utmost of their abilities and allow them to service all College users in the best manner possible.
Violations of said policies will be reported to the user’s supervisor, the Director of Information
Technology, and the Office of the Dean. Users are reminded that serious violations, especially those
involving patient records, place serious liabilities on the College and therefore could result in civil or
criminal prosecution.
Monitoring of users by Information Technology personnel may take place as a result of suspected
violations of College or University policies and all applicable laws. Monitoring of authorized College
users will take place in accordance with the University CIO’s policies on monitoring of University
personnel. Monitoring of the public (i.e. non-employees and non-students of The Ohio State University)
will take place at the discretion of the Director of Information Technology, in accordance with College
security policies.
Users are also reminded that logging of user activities are a normal process of the systems and software
installed on the College network and do not constitute monitoring (under the University CIO’s definition
of monitoring), although such logs may be used as evidence to commence active monitoring and may
also be used as evidence if so required by law enforcement or other legal means.
8
Optometry Service and Support Policy
The following outlines the College of Optometry’s Service and Support policy involving College
computing resources.
Following are policies and procedures that shall be undertaken by Information Technology and by users
requiring service and/or support. User adherence to these policies will ensure that the College maintains
an effective, efficient system of computing resources. The following also outlines issues that are under
the domain of IT Support.
Information Technology has responsibility for maintaining College computing resources within a large
community of users. The responsibility to maintain a functioning network for the benefit of all within the
College must be fulfilled while maintaining a respect for the sensitive nature of the information
contained on computers and in users' work areas. The following policies outline the authority of IT with
respect to access to individuals' work area and computing resources.
1. Generally, any hardware problem with a user’s IT-supported personal computer/terminal or its
network connection is within the domain of IT Service. IT only provides support for university-owned
equipment.
2. Support is also provided for software-related issues concerning supported software applications. If
you are unsure if a specific software package is supported, please contact the Director of IT.
3. Users shall consult IT when planning the purchase of computing hardware regardless of the source of
funding or purpose of the equipment. IT consultation will greatly help to avoid the purchase of
equipment that is of lesser quality or that is not compatible with other College computing resources and
allow the College to be a good steward of its limited resources. Hardware shall not be connected to the
College network without the express permission of Information Technology.
4. Users shall use personal computers that allow the use of Microsoft Windows. Any exceptions to this
policy are solely for faculty or for tasks which can only be performed on an alternate operating system.
Computers that utilize alternate operating systems (e.g. MacOS, Linux, Solaris, IRIX) may not be able to
adequately access many College computing resources, although Information Technology shall make
every effort to allow adequate access to College computing resources to other operating system
platforms. Information Technology recognizes the value of mobile productivity tools, such as handhelds
and cell-phones, and will make every effort to assist in the utilization of these devices. However, there
is no official support for these devices and any support provided will be time-permitting.
9
5. Unless prior arrangements have been made with IT, support for, or installation of, specialized
hardware or applications is beyond the scope of service provided by Information Technology. In this
case, users shall arrange support for such hardware or software with the hardware/software vendor.
This includes non-OSU internet service providers (e.g. AOL, Prodigy, AT&T Worldnet, etc.).
6. IT Support Contact Procedures:
a. The preferred and most efficient way to contact Information Technology is via the Help Desk website.
The website may be accessed via the College’s “MyOffice” page here:
http://optometry.osu.edu/myoffice/, then click on “Help Desk.” After submission of your ticket, you will
receive an e-mail outlining an estimate of when your ticket will begin to be addressed. To avoid
confusion and to save time, the user who files a ticket should be the only user communicating with IT
Support concerning the issue.
b. All issues require a Help Desk ticket be created. It is imperative that you attempt to file a detailed
Help Desk ticket before contacting IT Support as defined below.
c. Other methods of contacting IT Support are as follows:
i. Via e-mail at: [email protected] (note: please do not send e-mail specifically
requesting support to IT staff’s personal address(es) – this can cause delays in service as we
cannot see what received in each other’s accounts).
ii. Via telephone: 688-4596. If you get voice mail, please leave as detailed a message as possible.
Voice mail messages will be checked at least once per day.
7. IT Support will respond to requests for help with an estimate as to when the issue will be addressed.
IT Support will also contact the user if there is a subsequent change in the scheduling for the request. IT
Support will respond to requests for help as follows:
a. Any Help Desk ticket filed as Urgent (immediate) or ASAP (within 24 hours) will receive a
response via e-mail within 4 working hours.
b. If your computer is inoperative, IT will provide the user with a written response or by a
telephone call.
10
8. It is part of the job of IT to determine what needs to be done to repair a computer and where and
how the work is to be completed. IT should make reasonable efforts to communicate these plans to the
user if the repair involves removal of a computing resource from a work area or making significant
modifications to hardware or software. IT will not initiate unrelated work without consultation with the
user. It may be possible to provide the user with a loaner computer in these cases. If a loaner is
unavailable, some alternative systems that could be used are:
a. Any of the College of Optometry student computing lab computers.
b. The computer in one of the small class/conference rooms
c. The IMC loaner laptop(s).
9. If a hard drive crash occurs, IT will perform all possible operations to retrieve the data. However, if
the data is unrecoverable, the user is responsible for all data that has not been stored on their U: drive.
If the data is deemed extremely important and must be recovered, arrangements will be made with a
professional recovery service. Payment arrangements for recovery services shall be made with funding
from your unit or grant.
10. In the event that a user or group needs a custom application developed by Information Technology,
detailed information as to the scope and functioning of the application shall be forwarded to the
College’s Director of IT. As IT time is limited in respect to these projects, the Director of IT will make
these decisions on a case-by-case basis.
11. Any users who are exempt from certain points of College policy and permitted to use non-College e-
mail systems (i.e. OIT e-mail), shall contact the OIT Help Desk at 688-HELP for support. Information
Technology cannot provide direct support for any system managed by OIT.
12. If a support issue has not been addressed to any user’s satisfaction, users shall contact the Director
of Information Technology outlining the nature of the computing issue and the problem the user is
having in dealing with IT Support to solve the issue. If the Director of Information Technology does not
address your complaint to your satisfaction, users are then encouraged to contact the Office of the
Dean.
13. Offices and work areas will be considered private. IT will enter these areas to perform any work only
with prior consent. The user shall specify the desire to be present during completion of work and
provide available times on the Help Desk ticket. Stating that there is no need to be present gives IT
permission to enter the work area to complete the ticket work request. Access to an office or work area
without the permission of the individual user, employee, or user's supervisor will occur only in situations
where there is clear and present need that such access is necessary to prevent imminent damage to the
integrity of College computing resources.
11
14. Once a ticket request is submitted, IT should only perform the work requested by the user. Removal
of a computing resource from a work area or making significant modifications to hardware or software
outside of the scope of the ticket request should only be done after communication with the user. Users
are reminded that the resolution of any problem may, in fact, require significant changes. The user will
be informed in the event a significant modification is needed.
15. Remote operation of a user’s computer should only be conducted with the prior consent of the user,
or user's supervisor unless there is a clear and present need that such action is necessary to prevent
imminent damage to the integrity of College computing resources.
16. Logging and monitoring of College computing activity is a necessary part of maintaining the network.
Monitoring will be conducted according to University policy. Logging will be conducted with due respect
for the sensitive and possibly confidential nature of the activities of individual users when possible, in
addition to all applicable laws and university regulations. Unauthorized monitoring or breaches of
confidentiality are considered by IT to be serious violations of both University and College policy and will
not be tolerated. Users should be aware that their uses of College computing resources are not
completely private. While the university or College does not routinely monitor individual usage of its
computing resources, the normal operation and maintenance of the College's computing resources
require the backup and caching of data and communications, the logging of activity, the monitoring of
general usage patterns, and other such activities that are necessary for the rendition of service. The
university may also specifically monitor the activity and accounts of individual users of university
computing resources without notice, when (a) the user has voluntarily made them accessible to the
public, as by posting to Usenet or a web page; (b) it reasonably appears necessary to do so to protect
the integrity, security, or functionality of university or other computing resources or to protect the
university from liability; (c) there is reasonable cause to believe that the user has violated, or is violating,
this policy; (d) an account appears to be engaged in unusual or unusually excessive activity, as indicated
by the monitoring of general activity and usage patterns; or (e) it is otherwise required or permitted by
law. Any such individual monitoring, other than that specified in "(a)", required by law, or necessary to
respond to perceived emergency situations, must be authorized in advance by the CIO or the CIO's
designees. Unauthorized monitoring or breaches of patient confidentiality would be considered
violations of both university and College policy. Users are directed to http://www.cio.ohio-
state.edu/policies/use_policy.html for the full text of the university "Policy on Responsible Use of
University Computing Resources.
12
Major Systems Acquisition, Development & Maintenance
This section will address procedures to be used when acquiring large new hardware or software
systems. Examples of such are computers, clinic database applications, etc.
Systems acquisition and development are a very important part of the College computing environment
and also greatly affect overall Information Technology policy. These systems affect the largest amount
of users and systems. The guidelines below have been established to ensure the best
systems/applications are purchased for each situation.
Systems Acquisition The first section of this policy shall deal with the acquisition of hardware systems, such as computers,
switching equipment, rack systems, and products relating to network wiring infrastructure.
When purchasing computers, Information Technology shall perform a needs analysis to determine the
minimum equipment needed to process data at the highest level of efficiency. Computers shall be
purchased with the thought in mind that they should last 3-5 years. Therefore, the best systems that
will fit within the budgetary constraints shall be purchased.
When Information Technology performs the needs analysis, the following information will be required:
• What software applications will be installed and operated on the system.
• Minimum amount of memory needed.
• Minimum amount of processing power required to operate installed applications.
In order to lower acquisition costs and support overhead, preference will always be given to University
Standard Configurations unless an adequate business justification is provided and approval is granted by
the Director of IT.
Application Development
When applications need to be developed internally or with the assistance of external consultants, the
following policies shall apply:
1. Information Technology shall do a needs assessment to record the essential requirements of the
application.
2. Information Technology shall also include non-essential requirements in the application needs
assessment.
13
3. Information Technology shall communicate with the targeted end users of the application and will
factor into the needs assessment all end user requirements and suggestions to the greatest extent
possible.
4. If the application is to be developed internally, Information Technology shall determine how best to
build the internals of the application, e.g. programming language, database setup, etc.
5. If the application is to be developed outside of the College, Information Technology will write up an
RFP (Request for Proposal) and submit it to Purchasing who will manage the RFP process.
6. Information Technology shall work with the vendor to guarantee that the new application integrates
with existing College computing resources to the highest extent possible.
7. When addressing the building or purchasing of applications that will be holding patient or other
confidential information, Information Technology shall use higher security standards (to be enumerated
at the time of purchase/development) in the needs assessment for such applications.
8. Internal application security shall be a part of system development in order to help maintain the
confidentiality of any information in the application.
9. For all applications, a beta-testing period shall be used to expose the application to a sampling of end-
users that will be using the product to ensure that end-user needs are being met. This beta-testing will,
preferably, be performed on Optometry computing systems to ensure they work in the environment in
which they will be used.
14
Application Maintenance
The following policies apply to the day-to-day maintenance of any computing applications that affect
several users, i.e. system-wide changes:
1. Any changes that need to be made to the system that will affect more than one user of the system
shall be reviewed by Information Technology to ensure that no damage will occur.
2. Any changes made to the system that will affect more than one user shall only be made by
Information Technology staff. At no time may end users of the application and/or system make system-
wide changes.
3. Security restrictions placed in the application shall restrict end users from making such changes to the
extent possible.
4. The internal security settings of such applications at no time will be accessible to the end users of the
application.
5. To the greatest extent possible, any changes to be made to the application shall be first tested on a
system dedicated to testing the application and any changes made to it. When it is not possible to test
the changes first, a backup will be performed immediately prior to making the changes.
6. When any changes are to be made to an application, the request shall be recorded.
7. Information Technology personnel, when making such changes, shall record any and all steps taken in
changing the application.
15
Policy on Protected Information
The age of the Internet has dramatically increased the availability and flow of information across
the globe. While this tool has revolutionized many industries, including higher education, it has also
presented complications such as identity theft. Identity theft can be very costly both to the individual
and to the university. Very little information is required for identity thieves to assume an individual’s
identity therefore it is our responsibility to ensure the data we store remains private. How do we keep
the information we want to keep private from becoming publicly available? The College of Optometry
takes all reasonable measures to adequately guard our protected information. However, technology
alone cannot keep all information secure, all of the time. A great deal of responsibility lies with the user
to ensure our protected data is not compromised.
What is protected information?
Protected information can be defined as any information which should not be disclosed to unauthorized
persons, intentionally or accidentally. This seems very simple, but becomes more complicated when we
consider how certain information must be handled. Certain information is not only sensitive, but
protected by federal and state laws. Information primarily used by the College of Optometry is
protected by the Federal Education Rights and Privacy Act (FERPA) and the Health Insurance Portability
and Accountability Act (HIPAA). Every employee of the College of Optometry is required to complete
FERPA and HIPAA training prior to accessing information protected by these federal laws, but the
university has several key guidelines which are helpful in maintaining compliance with FERPA:
• Grades must not be posted unless accompanied by an identifier that is unrecognizable by
anyone other than the student
• Rosters, etc. must not be left in public or semi-public areas
• References must not contain grade or grade-point information unless the student has given
prior written consent. Other protected information that should not be divulged includes
students' social security number, race or ethnicity, gender, nationality, academic
performance or disciplinary records
• For students 18 and over, written student consent is required before any information can be
shared with parents
For more information about protected information, please see the University’s Institutional Data Policy
located at http://cio.osu.edu/policies/institutional_data/.
Handling protected information.
The very best way to ensure protected data remains protected is never to store it at all. Unfortunately
in today’s world, this is not always possible. In the College of Optometry, as with any organization,
protected information must be handled in such a way as to prevent unauthorized access. Additionally,
16
information must be stored in specific locations to ensure the proper technology is in place to protect
the data.
Protected information should always be stored in an encrypted format or protected location.
Protected information should always be stored on the college file servers, never on desktop or
laptop computers, not even temporarily.
University policy prohibits the storage of protected information on non-OSU owned devices
including USB flash drives, computers, etc.
Protected information should never be transmitted by e-mail.
Personal financial information is prohibited and should not be stored anywhere on the College
of Optometry network.
Devices containing protected information must be disposed of properly by the College IT staff
Remote access to protected information is prohibited
It is advisable that, wherever possible, protected information should be redacted from files. Thieves
cannot steal what we do not have. Removing social security numbers and other identifiable data from
files goes a long way toward preventing identity theft.
What happens if protected information is exposed?
Data exposures can be very costly for the university and the individual. The smallest data exposure can
cause significant embarrassment to the college and to the university and its negative impact can be felt
for a very long time as our faculty, staff, students and alums lose respect and trust in the organization.
The State of Ohio has passed legislation named House Bill 104 (HB 104) which requires the university to
notify the owners of the exposed information. The notification process begins when it is confirmed or
suspected that the following information has been exposed:
Any combination of an individual's name and any of the following:
social security number
driver's license number or state identification number
account number or credit card number or debit card number, in combination with any
of the following items that would permit access to the individual's financial account
required security code
access code
password
If a suspected breach of protected information occurs, the individual must immediately notify the
Director of Information Technology who will coordinate and initiate the investigation process as defined
in the University Policy on Disclosure or Exposure of Personal Information.
17
What is the university’s policy on protected information?
All employees of the College of Optometry must familiarize themselves with the university policies
surrounding protected and sensitive information. These can be found at the CIO’s Buckeye Secure
website located at http://cio.osu.edu/buckeyesecure/policies_index.html.
18
College of Optometry Password Policy
The College of Optometry has adopted a strong password policy in compliance with the OSU Minimum
Computer Security Standard (MCSS). Passwords must be 9 characters in length, and contain characters
from 3 out of the following 4 categories:
Uppercase letters (A-Z)
Lowercase letters (a-z)
Numbers (0-9)
Non-alphanumeric (for example, !, @, #, $...)
To change your password, press ctrl+alt+del once you are logged in and choose “Change Password” on
the lower left.
Passwords must be changed every 180 days.
When creating your new password:
Don’t get stuck in the mindset that your “password” actually has to be just one big word. You may use
several words or a phrase, as long as it contains the necessary characters. Spaces are also allowed.
Passwords do not need to be changed dramatically. Subtle changes to passwords can be easier to
remember than dramatic changes!
For more tips and guidelines, please refer to this article:
http://www.microsoft.com/athome/security/privacy/password.mspx
If there are any other issues concerning passwords, please contact Support at
19
College of Optometry Information Technology Change Management
Policy for Critical Systems
The College of Optometry, in an effort to coordinate changes to critical systems, has developed a change
management policy. The purpose of this policy is to minimize the risk, impact and efficiency of our
computing environment during the change process as well as to establish guidelines for adequate
documentation of system changes.
For the purposes of this policy, changes are defined by the following actions to any system with the
purpose of serving multiple end users:
Hardware – Installation, modification, removal or relocation of equipment
Software – Installation, patches, upgrades, configuration changes
Tasks outside of the scope of this policy:
Disaster Recovery/Backup
Changes to non-production equipment
Tasks required for day-to-day operations
Updates to the College or Clinic Websites
o Examples include Account Creation/Removal, Password Changes (except service
accounts)
Process:
Proposal and Approval
Changes to critical systems must undergo an approval process prior to implementation. The purpose of
this approval process is to not only prevent unauthorized changes to the systems, but to allow an
additional review of the proposed change for risk and possible business impact. Proposed changes
should be submitted to the help desk for ticketing and tracking; once approval has been granted via a
help desk response, the change can be scheduled and completed. In the event of vendor-implemented
changes, the system administrator, not the vendor, is responsible for obtaining approval and
documenting the change.
Elements which must be included in the request are listed below:
Proposed change
Detailed purpose (i.e. what issue does it resolve?)
Who requested the change, if not the submitter
Risk analysis (i.e. Worst case scenario, including business impact and action plan for recovery)
20
Intended date/time for change to take place
Who needs to be or has been notified of impending change
Changes without the above elements will not be approved.
Documentation
Documentation of changes is a critical step in the change management process which must be
completed thoroughly and accurately. A WIKI has been implemented to store documentation of critical
systems and is indexed by device. After a change is completed, documentation must be appended to
the WIKI page for the device involved. Documentation must include all elements from the approval
process in addition to any notes regarding the change procedure, particularly that which would aid in
future troubleshooting.
Blanket Approval for Routine Changes and Emergency Changes
Management recognizes the need for routine updates to systems to ensure the proper, secure
operation of said equipment. In these cases (i.e. Microsoft OS patches), management approval is
understood, but documentation must still take place. This does not apply to vendor-implemented
changes.
Changes of an urgent nature which need to take place to ensure security or reliability of the computing
environment do not require pre-approval and a well-documented debriefing of management will be
required after problem resolution.
Roles
The Director of Information Technology shall serve as the change management coordinator, except in
cases where change is implemented by the Director during which the Network Administrator will serve
as approver for system changes. Changes implemented by a vendor or clinic staff to the practice
management system shall be coordinated and approved by the Clinic Information System Coordinator,
except where the change is directly implemented by the Coordinator during which the Network
Administrator will serve as the approver for system changes. In the absence of any required approver,
the requestor shall consult with any member of the IS staff and, if the staff member concurs, this shall
deem the change approved.