This Policy was last reviewed July 21 2023.
1. Purpose
The purpose of the Peerceptiv Change Management Policy is to establish the rules for the creation, evaluation, implementation, and tracking of changes made to Peerceptiv Information Resources.
2. Scope
The Peerceptiv Change Management Policy applies to any individual, entity, or process that create, evaluate, and/or implement changes to Peerceptiv Information Resources.
3. Maintenance
This Policy will be reviewed annually or as deemed appropriate based on changes in technology or regulatory requirements.
4. Enforcement
Violations of this Policy may result in suspension or loss of the violator’s use privileges, with respect to Peerceptiv Information Systems. Additional administrative sanctions may apply up to and including termination of employment or contractor status with the Company. Civil, criminal and equitable remedies may apply.
5. Exceptions
Exceptions to this Policy must be approved by the Chief Technology Officer (“CTO”) and formally documented. Policy exceptions will be reviewed on a periodic basis for appropriateness with all exceptions reviewed at least annually. In emergency situations designated Peerceptiv staff are authorized to make necessary changes to restore system functionality and address vulnerabilities without further CTO authorization.
6. Policy
6.1 Change Management Rules
- Changes with a significant potential impact to Peerceptiv Information Resources must be scheduled.
- Peerceptiv Information Resources owners must be notified of changes that affect the systems they are responsible for.
- Authorized change windows must be established for changes with a high potential impact.
- Changes with a significant potential impact and/or significant complexity must have usability, security, and impact testing and back out plans included in the change documentation.
- Change control documentation must be maintained in accordance with Peerceptiv data retention and backup policies.
- Where necessary, significant changes made to Peerceptiv customer facing applications must be communicated to customers, in accordance with governing agreements and/or contracts.
- All changes must be approved by the Information Resource Owner or Chief Technical Officer
- Emergency changes such as those required to respond to service outages or newly discovered system vulnerabilities may be implemented immediately and in such occasions the change management documentation may be completed retroactively.
- All documented changes must be reviewed to ensure successful implementation and to make sure compliance is maintained with developed baselines.
- Peerceptiv staff is required to implement changes to address service outages and serious discovered vulnerabilities as soon as reasonably and safely possible. The Chief Technical Officer must be informed of changes made in this manner.
- Routine platform software updates, performed automatically on a scheduled basis are exempt from reporting and approval requirements.
6.2 Documentation and Classification
- Changes reasonably expected to have a significant potential impact on Peerceptiv Information Resources must be documented as described in this section.
- Changes to both the physical and logical production environment must be documented and classified according to their:
- Importance
- Urgency
- Impact
- Complexity
- Change documentation must include, at a minimum:
-
- Date of submission and date of change
- System owner information
- Nature of the change
- Change requestor
- Change classification(s)
- Roll-back plan
- Change approver
- Change implementer
- An indication of success or failure
-