xcPEP Change Management Policy

xcPEP Change Management Policy

 

1. Purpose and Scope

This Change Management Policy defines the framework for managing all changes to the xcPEP SaaS platform, its underlying infrastructure (AWS), and associated services. The policy aims to minimize risks, ensure service stability, and maintain the integrity of our systems through a controlled, documented, and auditable process.

2. Definitions

  • Change: Any addition, modification, or removal of anything that could have an effect on IT services.
  • Standard Change: A pre-authorized change that is low-risk, relatively common, and follows a predefined procedure (e.g., minor software updates, routine maintenance).
  • Normal Change: A non-emergency change that requires formal review and approval (e.g., new feature deployments, significant infrastructure changes).
  • Emergency Change: An urgent change required to restore critical service functionality or address a severe security vulnerability, requiring expedited approval.

3. Change Management Process

All changes, regardless of type, follow a defined lifecycle:

  • Change Request (CR): Initiation of a change through a formal request, documenting the proposed change, its justification, and potential impact.
  • Review and Approval: CRs are reviewed by relevant stakeholders and approved based on their impact, risk, and urgency. For Normal Changes, this often involves a Change Advisory Board (CAB) or equivalent.
  • Planning: Detailed planning of the change, including implementation steps, resource allocation, communication plan, and a comprehensive rollback procedure.
  • Testing: All changes are thoroughly tested in non-production environments (e.g., development, staging) to identify and rectify any issues before production deployment.
  • Implementation: Execution of the change in the production environment according to the approved plan.
  • Post-Implementation Review: Verification that the change was successful and had the intended effect without adverse impacts. Lessons learned are captured.
  • Documentation: All aspects of the change, from request to review, implementation, and verification, are meticulously documented within our change management system.

4. Scheduled Maintenance & Customer Notification

  • Notification: We provide customers with a minimum of 7 days advance notice for all scheduled maintenance windows that may result in service unavailability. Notifications are sent via email to designated contacts and posted on our official status page.
  • Windows: Scheduled maintenance is typically performed during off-peak hours or weekends to minimize disruption to customer operations.
  • Communication: Details of the planned changes, expected impact, and duration are clearly communicated.

5. Emergency Changes

Emergency Changes are executed to address critical issues impacting service availability or security. While expedited, they still adhere to a defined process:

  • Immediate implementation to restore service or mitigate risk.
  • Retrospective review and formal approval after the change has been implemented.
  • Full documentation of the emergency, rationale, and steps taken.

6. Roles and Responsibilities

  • Change Owners: Individuals or teams responsible for proposing and driving changes.
  • Change Implementers: Teams responsible for executing approved changes.
  • Change Advisory Board (CAB): A group of stakeholders responsible for reviewing, assessing, and approving Normal Changes.

7. Tools and Systems

We utilize dedicated change management systems and ticketing tools to track, manage, and audit all changes effectively.

8. Policy Review and Updates

This xcPEP Change Management Policy is reviewed at least annually and updated as necessary to reflect organizational changes, improvements in processes, and evolving industry best practices.