Change Control Policy

CHANGE COMPONENTS

APPROVAL

Date

Author

Version

Description of Change (use multiple lines if necessary)

SVP IT Signature

SVP IT Date

4/24/2018

D. Watson

V1.1

Creation of document. First draft.

6/1/2022

T. Pascone

V2.1

Multiple changes made to accommodate process changes

8/8/2022

T. Pascone

V3.1

Restructuring of document to simplify using two primary modes of change control. Change Control Block changed.

08/31/2022

T. Pascone

V4.1

Reformatted and added language for clarification.

12/07/2022

T. Pascone

V5.1

Reformatted and added language for clarification.

06/08/2023

T. Pascone

V6.1

Added, deleted, and modified verbiage.

2/27/2024

T. Pascone

V7.1

Added Artifacts

04/10/24

I.Caminero

V8.1

Added Language to be applications specific

Contents

7. Change Tracking.. 6

8. Policy Changes. 7

9. Policy Compliance.. 7

10. Appendix A.. 8

Purpose

The purpose and objective of this policy/procedure is to establish the methodology to create (develop) or change various objects within the Costa IT environment. This change policy will apply to changes called out in the matrix (Appendix A) grouped by ‘change type’. Corresponding to each Change Type is an associated ‘Control Method’ along with the internal operating process that will be used in conjunction with each Control Methodology.

Environments
1. Three distinct application environments have been established within our software space. They consist of:
  1. PRODUCTION: Environment hosting objects related to running the business.
  2. QA: Environment hosting objects to be used for functional testing and acceptance prior to promotion to ‘Production’. This applies to Sage ERP only.
  3. DEV: Environment hosting objects used in the development \ modification of applications.

Shouldn't we have a section here regarding...

Scope
1. Change management activities: development related activities, and deployment.
  1. Development includes the modification of existing objects or creation of new software objects and the testing of the software objects before they are made available to the production environment. The change management role in development lies in assuring that objects and data are made available to the appropriate environments during the development, testing, and production phases. This includes the ability to audit each step in the migration process (development, quality test, production).
Change Types and Control Methods
1. Scope of the change types and control methodologies are defined in Appendix A of this document.

People
1. This policy applies to all Costa Farms employees, consultants, contractors and affiliates and it applies to all Costa Farms companies Utilizing Costa Farms ERP systems and systems integrated with such systems.

Activities
1. CHANGE TYPES: Features of the three (3) types of control methodology are defined as follows:

Change Control and Management
Change Tracking
Policy Changes
1. Change Control and Management (CC&M) CC&M will be applied according the following steps:

Requirements Definition – IT Business Analyst will work with the requestor to define and design the required functionality. Documentation will be captured via the CC&M process.

The ‘Requirements Definition’ should answer the following questions:

Why is the change being made?
What is the current (pre-change) state?
What is the target state?
Is a test script required to ensure quality of deliverable prior to promotion to production?
What is the roll back procedure should the applied patch prove to be detrimental to system health.
Which system components will be affected and how will they be affected. Related to data and to UI?

Quality Assurance – Performed by personnel separate from the developer.

Quality Assurance accountability lies with personnel who performed the quality control.

Functional testing, if deemed necessary in the Functional Specification, will consist of members from IT and business to ensure that items called out inrequirements are being met and that Functional Specifications are being delivered.
Primary question being addressed in this phase: Does the solution meet the requirements?
Artifacts and Evidence: Evidence supporting solution meeting business requirements to be attached to the specific task. This applies to applications only.

Acceptance- Approval from Business Process Owner or functional lead.
Patch to Production- Promoting changes to production.

CC&M Change Types: This column in Appendix A will call out the particular Change type to be used in the CC&M procedure. Each change type will have varying requirements based on the change type. The change types are as follows:[IC1]
1. Normal: Will follow all steps listed above.
2. Fast Track: By-passing QA testing
3. Prod Direct: Change directly done in production. Emergency items or very low risk.
4. Expedite: All other options to be determined at time of CCM creation
5. Crystal Report:
6. Change Log – Non Prod: Change used for tracking however not being promoted to production.

Change Tracking

Change tracking has been established to accommodate the following business requirements not associated with any type of software development, policy creation and are independent of the need for project management.

Features of change Tracking will include:
1. Submission of a request
2. Assignment of request to appropriate person
3. Approval (when needed) based on tracking type will be made prior to Execution of request.
4. Execution of request

Policy Changes

Changes to IT General Controls policies (summarized in Appendix A) have been created as the top-level set of practices used to guide IT procedure creation.

In all instances related to change management and change tracking events will occur requiring that measures be taken to ensure business continuity, these instances may be deemed critical in nature that will require a bypass of policy and corresponding procedures listed in this document. In this, prior to changes being made in the production environment, approval will be required from both the Director of Functional Area and SVP IT. Provisions will be made in procedures to accommodate for such events.

Policy Compliance
1. Compliance

The IT Department will verify compliance to this policy through discrepancy reporting. This review will be done every 6 months starting 1/1/2023.

Policy Waiver\ Exceptions

If it becomes necessary for a business operation to deviate from Policy or standards, the information owner or supervisor should address the deviation with the SVP of Information Technology. The SVP of Information Technology is the only role that may issue a waiver to the business to deviate from the policy. The waiver will be valid for the maximum duration of one year and may be extended with the appropriate review and approval[TW2] [TW3] [TW4] . Reference Appendix A.

Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Appendix A

Change Control and Tracking Matrix

Link to Appendix A: Change Control Policy_Appendix A.xlsx