| Reference: 01.21-32.46 | Version: 1.2 | Effective Date: Dec 21, 2018 | Revision Date: July 21, 2021 |
| Title: Mortgage Planners – Change Management Policy |
| DOMAIN: CHANGE MANAGEMENT | DOCUMENT TYPE: SECURITY POLICY |
| SECTION: SECURITY & COMPLIANCE |
Mortgage Planners
1 INTRODUCTION
This document was developed by TCPCOM Inc. and defines the requirements of the “Change Management Policy” applicable at Mortgage Planners.
2 GENERAL INFORMATION
2.1 Revision History
| Version | Date | Summary | Prepared by |
| 1.0 | 2018-11-21 | Initial version | Marc-Andre Heroux |
| 1.1 | 2019-01-23 | Update Security Policy Objective | Marc-Andre Heroux |
| 1.2 | 2021-07-21 | Update Policy Statement | Marc-Andre Heroux |
2.2 Related Documents
| Type | Security Requirements |
| Title | Mortgage Planners – Registry of Security Controls |
2.3 Information Security Responsibility
The senior management is responsible of the enforcement of the security policy. The security officer is responsible for ensuring the proper definition and implementation of the security policy.
3 SECURITY POLICY OBJECTIVE
3.1 Purpose of the security policy
Establish requirements to ensure changes made against the infrastructure, the information system and any informational resources follow standard process to support business needs and proper operation.
Ensure changes to the infrastructure and its cyber assets are realized and supported by activities ensuring the availability, integrity and confidentiality of informational resources.
3.2 Scope of Security Policy
This policy applies to all employees of Mortgage Planners, services providers and/or employees of third parties performing work related to informational resources of Mortgage Planners.
The scope of cyber assets is as follows: servers and network systems as well as technical security controls and/or utilities supporting business functions and operations.
3.3 Managing Information Security
The senior management must ensure that a senior security officer (ciso, cso) review and defines effective controls. He must also collaborate and validate that controls are in place and properly implemented to limit access to information according to roles, need to know and need to use.
Processes, mechanisms and solutions to prevent the disclosure of information and to maintain the integrity and availability of informational resources must be defined and implemented.
3.4 Breach of Security Policy
An intentional or unintentional violation of policies, procedures, standards or security requirements of Mortgage Planners may be subject to disciplinary action and may result in termination of employment or contract and possibly civil/criminal justice prosecution.
Anyone suspected of a security breach or deviation will be treated fairly and a full investigation will be conducted to protect its legal rights.
3.5 Exceptions to the Policy
Any exceptions related to this security policy must be approved by the senior management.
4 OPERATIONAL CHANGES
4.1 Policy Statement
A change management process and the according documents, activities and solutions to support operation changes must exist and be applied to ensure operational changes are conducted adequately. A proper change management practice must allow to return to stable state in the case of an unsuccessful change (roll-back).
A change management process must be in place to ensure that informational assets and configuration standards are maintained, that security controls are working properly following a change.
When a transition occurs for an information resources (e.g. migrating a web site, a database, system, solution) from one storage area to another one, in same or different site/server/environment, once a transition is completed, the initial informational resources (old) must be purged and rendered inaccessible. When appropriate, a backup copy of the informational resource must be kept secured and Mortgage Planners must be informed of any backup kept of its data in any environment. Specifically, if an external backup of the solution Maestro, or its datatabase contains confidential information, the information must be kept encrypted.
4.2 Security Risks
Inadequate control of changes to information processing facilities and/or cyber assets is a common cause of system or security issues and incidents.
Inadequate control of operational changes could result in security weaknesses, impact on performance, availability, integrity and confidentiality of the infrastructure and its informational resources.
Not purging data following a transition of an informational resources (e.g. web site, system migration) could lead to improper data protection and potential unauthorized access to sensitive information and cause negative impact to Mortgage Planners (e.g. legal liability).
5 SIGNIFICANT CHANGES
5.1 Policy Statement
Following a significant change, all relevant requirements must be implemented on all new or modified systems and networks, and documentation must be updated when applicable.
The change management process must distinguish significant change vs standard change to an informational resource (e.g. changing/adding/removing cyber assets, solution components, network or security controls). A significant change requires to define the following elements in an implementation plan: system or solution affected, technical detail of the change, impact of change (e.g. requiring reboot or interruption), a roll-back plan, steps of the change as well as how and by who it will be tested must be documented. Finally, the implementation change must be approved/authorized prior executing a change.
The process needs to trigger appropriate security activities in the event of significant change, as applicable:
- Vulnerability analysis and penetration test on cyber-related assets following the significant change (e.g. public facing web application).
- Documenting/test/communicate changes.
- Update diagram, inventory, configuration standard and system specifications.
5.2 Security Risks
Without a process distinguishing significant changes from a standard changes, appropriate security activities could not be executed and weaknesses could remain unknown and exploited by a threat agent. This could lead to a serious issue related to confidentiality, integrity and/or availability of the infrastructure, the information system and its informational resources.
6 MONITORING COMMITTEE AND CHANGE
6.1 Policy Statement
A formal change control process must be established to ensure that change management committee authorize any changes to critical informational assets and/or to the information system, and/or the infrastructure used in the realization of the company’s services (including addition and/or removal of software/code/configuration or hardware).
6.2 Security Risks
Without formal change control, unauthorized modifications could be made, or changes could be made without a proper assessment of the risks and the potential impact of change.
Improper changes could also be made or a change could be made without properly assessing risk or without following a standard approach (e.g. without these elements: requirements definition, implementation plan, standard test plan, impact of change analysis, recovery procedure).