An application or system may be changed to correct a flaw, to accommodate business changes, or to enhance functionality. A change is any action which alters or modifies the production environment, including hardware, software, data communications, etc. This includes the promotion of software from the development environment to test/ quality assurance or production environment. Adequate change control offers the major security benefit of protecting the integrity of programs and data by not allowing unauthorized changes. Procedures for requesting, authorizing, prioritizing, scheduling, distributing, documenting and communicating changes must be established.

Change management includes, but is not limited to modifications of the following: platforms (e.g. migrating to a different IT environment), networking, hardware, operating systems, monitoring and control tools, databases, legacy systems and applications.

This policy is intended to provide a guideline to be followed for change management at Company. Specific change management procedures must be developed by each Department at the Company managing a change request type (e.g. for patch management, the system administrators will develop a patch management procedure). Depending on the change (type, impact, etc.) some of the steps or documents mentioned in this procedure may be suppressed.

The objective of this policy is to ensure the integrity and availability of Company’s information and to prevent damages from uncontrolled changes to all IT and physical infrastructure services that support Company’s finance, marketing, customer operations, human resource and billing systems.