Article 50 – Change and Configuration Management Policy
49070.4 Policy Directives
-
CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) shall:
-
Formally manage all changes to information assets.
-
Utilize the Change Control Board, which includes a change advisory board that meets on a regular basis to review changes to information assets.
-
Ensure that the change advisory board comprises representation from appropriate stakeholders, and in particular from impacted business areas.
-
Ensure that the change advisory board includes formal security representation, and that change management processes formally integrate security evaluations and risk impact assessments in all change activities.
-
Establish comprehensive enterprise-wide change management, comprised of supporting processes, workflows, and a centralized repository for all changes, including changes to baseline configurations.
-
Establish, implement, and manage CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) operating baselines for information asset configurations.
-
Establish and implement technologies, processes, and procedures to maintain and manage information asset configurations.
-
Ensure third parties and contractors are subject to change and configuration management policies, discipline, and practices. Any changes to CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) information assets proposed by service providers, regardless of whose environment they operate in, shall be governed by CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) change and configuration management processes.
-