Change Management

The purpose of this policy is to ensure effective control over all changes affecting the main information systems, in order to minimize the likelihood of service disruption or stoppage of IT services. Additionally, it aims to prevent unauthorized changes that may lead to tampering or errors. 

 

This policy applies to all members of UTAS-Sur, whether on a temporary or permanent basis as well as any third parties working with or contracted by the university, it covers all environments where the university’s information systems are operated. 

Information Systems and Educational Technologies Center. 

‏Assistant Vice Chancellor for UTAS – Sur. 

Any violation of this policy by all members or third parties (suppliers, contractors, business partners, etc.) will be subject to disciplinary and legal actions in accordance with the laws of the Sultanate of Oman, including regulations related to cybersecurity, university’s policies, labor laws, and electronic transactions. 

 Change Standards: 

• The University must ensure that all changes, whether planned or emergency, to the main information systems are supervised and controlled formally, including their presence in the operational/production environment. These changes should be recorded, evaluated, approved before implementation, and reviewed post-implementation according to pre-established planning. 

• The University should categorize change requests based on their impact and approval requirements, including: 

               – Routine Change: Requires prior review and approval before implementation. 

               – Emergency Change: Necessary for urgent and critical needs, as failure to implement them may severely impact IT services. These changes have higher priorities than planned changes and don’t follow the standard approval due to time constraints. 

 

Routine Changes: 

• The University must assess the impact of changes on information security and take appropriate mitigation measures to minimize risks. 

• Before approving and implementing any change in an information system, it must be ensured that affected systems/processes are identified, and that responsible and concerned parties approve the change. 

• Only authorized changes to the University’s information systems are permitted. 

• Approval of routine changes must be granted by the Head of the Information Systems Department. 

• Changes should be tested in a controlled environment before being deployed to the production environment. 

 

Emergency Changes: 

• In cases of urgent tasks requiring immediate response, deviation from standard change management procedures is temporarily permitted to ensure the continuity of essential operations in the University. 

• Emergency changes must be reviewed and approved by the responsible authority, which is the Head of the Information Systems Department. 

• Emergency changes should be implemented effectively and promptly, following the emergency change procedures. 

• Change requests should be closed and documented upon completion to finalize the emergency process. 

  

Change Status Monitoring and Reporting: 

• Change requesters and stakeholders should be informed about the latest updates regarding changes in the information systems. 

• The IT Security will record and document change requests and modifications to the University’s information systems. 

 

This policy shall take effect from the approval date.