cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
2912
Viewer II

Security Procedures contents

Hi All

 

I’m preparing a Change Control Procedure for my company. I’m just wondering if it is appropriate to add a “Scope” to specify what is in scope and what is not?

 

Some of the scopes include the following:

In scope

  1. Software: installation, patch, upgrade or remove software, including off-the-shelf applications, OS and in-house developed applications.
  2. Database: changes to DB structure
  3. Hardware: Installation or modification of computing equipment and services

 

Out of scope

  1. Desktop: installing a Bluetooth mouse, changing the Windows system’s language interface, etc.
  2. Daily administration: reset user password, modification of user roles and security groups.

 

I appreciate any help you can provide.

2 Replies
tmekelburg1
Community Champion

  • Does your company have any docs in-between a policy and procedure related to change management (CM)?
  • Is the CM procedure mostly viewed by the technology staff/admins if they have questions on what to do if they receive a CM request?

 

Me personally, I keep Policy short with pointers to a Standards doc and Procedures doc. The Standards doc is where I'd put the detailed list of what's either in scope or out of scope and I can change it as often as needed. Some Orgs don't have anything in-between and if that's the case here, place it in the procedure doc because you wouldn't want to go through all the admin hurdles of updating policy to make minor changes to the list.   

2912
Viewer II

Hi tmekelburg1

 

Thanks for your advice. We have a policy and procedures in place, but no other doc in between. I'll put the scope in the procedure file as suggested by you.

 

Thanks.