Approved Date – 02/22/2016
Published Date – 02/22/2016
Revised Date – 02/23/2023
Provide the requirement for DC Agency to implement an Information System Change Control process to protect the confidentiality, integrity, and availability of information systems.
DC Official Code § 1-1401 et seq., provides the Office of the Chief Technology Officer (“OCTO”) with the authority to provide information technology (IT) services, write and enforce IT policies, and secure the network and IT systems for the District government. This document can be found at: https://code.dccouncil.us/dc/council/code/sections/1-1402.html.
This policy applies to all District workforce members (including contractors, vendors, consultants, temporary staff, interns, and volunteers) performing official functions on behalf of the District, and/or any District agency or entity (e.g. subordinate and independent agencies, Council of the District of Columbia, D.C. Charter Schools, etc.) who receive enterprise services from OCTO.
This Policy also applies to any providers and third-party entities with access to District information, networks, and applications.
District agencies and departments must develop or adhere to a strategy which demonstrates compliance with this policy and its related standards. The following outlines the requirements for this policy.
The District's agencies must develop and review or update annually and after change to the policy, a procedure in support of this policy with the following requirements:
4.1 Change Advisory Board
Each agency CIO shall consult with the OCTO Change Advisory Board (CAB) in which each agency plans and coordinates all system changes within the DC Government enterprise with the OCTO CAB. The CAB must evaluate all information system and security configuration changes before implementation. The OCTO CAB must approve, disapprove, or modify a system change.
4.2 Change Manager
The OCTO Change Manager is the member of the CAB who ensures the change request is following the standardized operating procedure. The OCTO Change Manager can authorize the change. In addition, the OCTO Change Manager ensures timely decision-making for change requests.
4.3 Change Owner/Initiator
Each agency ClO must designate a Change Owner or Initiator who must act as the liaison with the OCTO CAB, to track all agency system change requests, and report all CAB-approved system changes to the DC Chief Technology Officer through the CAB. The Change Owner/Initiator must be a District Government employee.
4.4 CAB Membership
Representatives from each OCTO department and the change manager are the members of the Change Advisory Board. Each Agency CIO must ensure that the CAB meeting is joined by the IT technical and information security personnel and management officials who understand the impacts of information system changes to provide relevant and knowledgeable advice to the OCTO Change Manager.
4.5 Security Impact Analysis
Each agency must ensure that each proposed information system change, or security configuration is analyzed for potential impacts on the confidentiality, integrity, and availability of the information system and the data contained therein before change approval and implementation.
4.6 Pre-Change Validation
Each Agency Change Owner/Initiator must ensure that each proposed information system or security configuration change is documented, tested, and validated before change approval and implementation.
4.7 System Access for Change Implementers
Each Agency must ensure that only authorized change implementers are granted "Minimum Necessary" access to information system components to implement the CAB-approved system changes or upgrades.
4.8 Post Change Validation
Each Agency Change Initiator/Owner must ensure that each system change outcome (successful or unsuccessful) is documented and that each change was implemented per the CAB-approved system change.
4.9 Auditing of System Changes
Each Agency in consultation with the Change Manager must conduct a monthly audit to detect and resolve unapproved system changes.
Exceptions to this policy shall be requested in writing to the Agency’s CIO and the request will be escalated to the OCTO Chief Information Security Officer (“CISO”) for approval.
The definition of the terms used in this document can be found in the Policy Definitions website.