Commit 268833a7 authored by Marcello Evangelista's avatar Marcello Evangelista

Merge branch 'change-management' into 'master'

Introducing the change management definition and processes

See merge request !30
parents 2ad59408 577611c6
...@@ -47,7 +47,7 @@ Any relationships within multi-tiered applications found during the scoping phas ...@@ -47,7 +47,7 @@ Any relationships within multi-tiered applications found during the scoping phas
1. Non-Compliance 1. Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. An employee found to have violated this policy may be subject to disciplinary action.
# Revision History # Revision History
......
...@@ -55,7 +55,7 @@ ...@@ -55,7 +55,7 @@
1. Non-Compliance 1. Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. An employee found to have violated this policy may be subject to disciplinary action.
# Revision History # Revision History
......
# Purpose
This document set the current definition of what a Change is regarding our own and managed environments.
# Scope
This policy is applicable to all infrastructure environments under our Managed Services Platform.
# Policy
## What is a Change?
A change is an event that holds approval from the Change Board Advisors (CBA), it is evaluated and implemented striving for minimised operational and financial risks, adjusts the current status of configuration whilst adding value to a business, service and its customers.
## How to Request a Change?
Currently, OlinData provides two specific models to request a change:
### Request for Change (RFC)
A request for change is a proposal that can be submitted by an internal OlinData stakeholder or by an MSP customer via our service desk (Zendesk), utilising the request fulfilment process to alter the current configuration state.
### Formal Change Proposal (FCP)
A formal change proposal is a high-level description of a potential service introduction or significant change and it is justified through a business case and implementation schedule. These proposals are usually originated from business and management key decisions and may include scope addition or more impactful changes to the current state of service and/or resources deployed.
### Change Types
1. Critical Change.
A critical change is one that must be assessed and implemented as soon as possible to solve a major incident. Critical changes are, by nature, more disruptive and may lead to failures such as outages, loss of continuity or process breakage, so they should be kept to a minimum.
Are recognised as Critical Changes:
* Active damage mitigation.
* Zero-day mitigation.
* Removal of infected and/or exploited resources.
* Removal of alien resources.
* Major change breakages.
* Promoted patching changes.
* Customers' application security updates.
1. Major Change.
A major change may have significant impact to the current state of configuration either by introducing breaking changes or by leveraging greater financial implications. Therefore, this change must be submitted for approval and should only be considered by the Change Board if it contains a detailed proposal with its justification and impact forecast. A proposal will only be appreciated if it contains a proper regression plan in case of critical failure.
Since OlinData deals with multiple customers, it is requested that all major changes are also approved by the customer should they be affected by the proposed modifications.
Major Changes include:
* Major customers' application package version rollouts
* Resource/infrastructure modifications on production environments
* High-risk performance patching
1. Minor Change
A minor change is one that offers low risk, comes from a pre-established procedure and occurs frequently without introducing breaking changes. Such changes also present a
Change Model that states a documented and repeatable plan for management and execution of said change.
Minor changes are also subject to pre-approval should the CBA decide. This decision happens on a case-by-case basis and should not be seen as the customary practice.
If a minor change introduces higher compromises it may be promoted to a Major Change.
Minor Changes include:
* Minor version updates that are not related to security or performance
* Deprecation updates around configuration languages that do not affect the running state
1. Patching
A patching change is one that introduces a set of software and dependency fixes that may include security vulnerabilities, operational bugs and performance/usability improvements.
In case of security patching, an assessment is needed to determine if the flaw was exploited. In a positive case of exploitation, the patching change will be promoted to a Critical Change.
If the patching change introduces breaking changes or higher risk of outages, it should also be presented along a regression plan and be promoted to a Major Change.
Patching changes are not subject to auto-approval and should be reviewed carefully by the CBA.
Patching Changes may include:
* Package vulnerabilities fixes on non-exploited flaws
* Low risk performance improvements
1. Operational
An operation change is one that happens frequently as part of the hired services that does not introduce any significant risk to the current state of configuration and availability.
Operational Changes may include:
* Resource rotation
* General backups
* IAM management
# Policy Compliance
1. Compliance Measurement
The Infosec team and the CBA will verify compliance to this policy through the service desk requests and deployment cycles.
1. Exceptions
Any exception to the policy must be approved by the Infosec team and the CBA in advance.
1. Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action.
# Revision History
Please check the commit history for this file.
...@@ -56,10 +56,10 @@ This policy applies to all OlinData BV employees and affiliates. ...@@ -56,10 +56,10 @@ This policy applies to all OlinData BV employees and affiliates.
1. Non-Compliance 1. Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. An employee found to have violated this policy may be subject to disciplinary action.
# Revision History # Revision History
Please check the commit history for this file. Please check the commit history for this file.
[cipherlist]: https://cipherli.st [cipherlist]: https://cipherli.st
...@@ -110,7 +110,7 @@ The lists below are by no means exhaustive, but attempt to provide a framework f ...@@ -110,7 +110,7 @@ The lists below are by no means exhaustive, but attempt to provide a framework f
1. Employees shall not engage in any blogging that may harm or tarnish the image, reputation and/or goodwill of OlinData BV and/or any of its employees. Employees are also prohibited from making any discriminatory, disparaging, defamatory or harassing comments when blogging or otherwise engaging in any conduct prohibited by OlinData BV’s Non-Discrimination and Anti-Harassment policy. 1. Employees shall not engage in any blogging that may harm or tarnish the image, reputation and/or goodwill of OlinData BV and/or any of its employees. Employees are also prohibited from making any discriminatory, disparaging, defamatory or harassing comments when blogging or otherwise engaging in any conduct prohibited by OlinData BV’s Non-Discrimination and Anti-Harassment policy.
1. Employees may also not attribute personal statements, opinions or beliefs to OlinData BV when engaged in blogging. If an employee is expressing his or her beliefs and/or opinions in blogs, the employee may not, expressly or implicitly, represent themselves as an employee or representative of OlinData BV. Employees assume any and all risk associated with blogging. 1. Employees may also not attribute personal statements, opinions or beliefs to OlinData BV when engaged in blogging. If an employee is expressing his or her beliefs and/or opinions in blogs, the employee may not, expressly or implicitly, represent themselves as an employee or representative of OlinData BV. Employees assume any and all risk associated with blogging.
1. Employees may also not use copyrighted material belonging to OlinData BV or any of its affiliates when engaging in personal blogging. 1. Employees may also not use copyrighted material belonging to OlinData BV or any of its affiliates when engaging in personal blogging.
...@@ -126,7 +126,7 @@ The lists below are by no means exhaustive, but attempt to provide a framework f ...@@ -126,7 +126,7 @@ The lists below are by no means exhaustive, but attempt to provide a framework f
1. Non-Compliance 1. Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. An employee found to have violated this policy may be subject to disciplinary action.
# Revision History # Revision History
......
...@@ -48,7 +48,7 @@ This policy applies to all OlinData BV employees and affiliates ...@@ -48,7 +48,7 @@ This policy applies to all OlinData BV employees and affiliates
1. Non-Compliance 1. Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. An employee found to have violated this policy may be subject to disciplinary action.
# Revision History # Revision History
......
...@@ -40,7 +40,7 @@ This policy covers appropriate use of any email sent from a OlinData BV email ad ...@@ -40,7 +40,7 @@ This policy covers appropriate use of any email sent from a OlinData BV email ad
1. Non-Compliance 1. Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. An employee found to have violated this policy may be subject to disciplinary action.
# Revision History # Revision History
......
...@@ -60,7 +60,7 @@ The scope of this policy includes all personnel who have or are responsible for ...@@ -60,7 +60,7 @@ The scope of this policy includes all personnel who have or are responsible for
1. Non-Compliance 1. Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. An employee found to have violated this policy may be subject to disciplinary action.
# Revision History # Revision History
......
...@@ -29,7 +29,7 @@ The development, implementation, and execution of a Security Response Plan (SRP) ...@@ -29,7 +29,7 @@ The development, implementation, and execution of a Security Response Plan (SRP)
1. Mitigation and Remediation Timelines 1. Mitigation and Remediation Timelines
The SRP must include levels of response to identified vulnerabilities that define the expected timelines for repair based on severity and impact to consumer, brand, and company. These response guidelines should be carefully mapped to level of severity determined for the reported vulnerability. The SRP must include levels of response to identified vulnerabilities that define the expected timelines for repair based on severity and impact to consumer, brand, and company. These response guidelines should be carefully mapped to level of severity determined for the reported vulnerability.
1. Information Transfer 1. Information Transfer
The SRP communication must outline applied services (Manual or Automatic scanning) but will not prize information. Confidential information regarding systems and impacted services or applications will only be distributed through secure channels and only after verification of the contact. The SRP communication must outline applied services (Manual or Automatic scanning) but will not prize information. Confidential information regarding systems and impacted services or applications will only be distributed through secure channels and only after verification of the contact.
...@@ -47,7 +47,7 @@ The development, implementation, and execution of a Security Response Plan (SRP) ...@@ -47,7 +47,7 @@ The development, implementation, and execution of a Security Response Plan (SRP)
1. Non-Compliance 1. Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. An employee found to have violated this policy may be subject to disciplinary action.
# Revision History # Revision History
......
...@@ -16,7 +16,7 @@ This policy applies to the engineering team and any other technical bodies from ...@@ -16,7 +16,7 @@ This policy applies to the engineering team and any other technical bodies from
* Microsoft Azure * Microsoft Azure
* Google Cloud Platform * Google Cloud Platform
Other than the providers mentioned above, OlinData BV also has part of its internal infrastructure deployed at the following providers: Other than the providers mentioned above, OlinData BV also has part of its internal infrastructure deployed at the following providers:
* DigitalOcean * DigitalOcean
...@@ -56,7 +56,7 @@ This policy applies to the engineering team and any other technical bodies from ...@@ -56,7 +56,7 @@ This policy applies to the engineering team and any other technical bodies from
1. Non-Compliance 1. Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. An employee found to have violated this policy may be subject to disciplinary action.
# Revision History # Revision History
......
...@@ -64,11 +64,11 @@ This policy is directed at all system implementer and/or software engineers who ...@@ -64,11 +64,11 @@ This policy is directed at all system implementer and/or software engineers who
1. Non-Compliance 1. Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. An employee found to have violated this policy may be subject to disciplinary action.
# Revision History # Revision History
Please check the commit history for this file. Please check the commit history for this file.
[passwordpolicy]: security-policy/general-guidelines/password-construction.md [passwordpolicy]: security-policy/general-guidelines/password-construction.md
\ No newline at end of file
...@@ -40,8 +40,8 @@ This policy applies to all OlinData BV employees, contractors, vendors and agent ...@@ -40,8 +40,8 @@ This policy applies to all OlinData BV employees, contractors, vendors and agent
1. Non-Compliance 1. Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. An employee found to have violated this policy may be subject to disciplinary action.
# Revision History # Revision History
Please check the commit history for this file. Please check the commit history for this file.
\ No newline at end of file
...@@ -42,7 +42,7 @@ For additional information regarding OlinData BV's remote access connection opti ...@@ -42,7 +42,7 @@ For additional information regarding OlinData BV's remote access connection opti
1. Non-Compliance 1. Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. An employee found to have violated this policy may be subject to disciplinary action.
# Revision History # Revision History
......
...@@ -67,7 +67,7 @@ This policy specifies requirements for equipment on the internal OlinData BV net ...@@ -67,7 +67,7 @@ This policy specifies requirements for equipment on the internal OlinData BV net
1. Non-Compliance 1. Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. An employee found to have violated this policy may be subject to disciplinary action.
# Revision History # Revision History
......
...@@ -44,7 +44,7 @@ Approved OlinData BV employees and authorised third parties (customers, vendors, ...@@ -44,7 +44,7 @@ Approved OlinData BV employees and authorised third parties (customers, vendors,
1. Non-Compliance 1. Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. An employee found to have violated this policy may be subject to disciplinary action.
# Revision History # Revision History
......
...@@ -43,7 +43,7 @@ All employees, contractors, consultants, temporary and other workers at OlinData ...@@ -43,7 +43,7 @@ All employees, contractors, consultants, temporary and other workers at OlinData
1. Non-Compliance 1. Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. An employee found to have violated this policy may be subject to disciplinary action.
# Revision History # Revision History
......
...@@ -45,7 +45,7 @@ Infosec must approve exceptions to this standard in advance. ...@@ -45,7 +45,7 @@ Infosec must approve exceptions to this standard in advance.
1. Non-Compliance 1. Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. An employee found to have violated this policy may be subject to disciplinary action.
# Revision History # Revision History
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment