security , visio-stencils

Sample SSAE-16 Change Checklist

July 2, 2020

Sample Considerations

Change Risk:  Low Risk

  • Only impact one customer group
  • If the change fails, only a few users from a single customer site will be affected and recovery will be quick and low effort
  • Can be implemented at any time
  • Requires approval for completeness of change instructions from colleague or supervisor

Change Risk:  Medium Risk

  • Affects one or more functional groups
  • If the change fails, many users from a single customer will be affected and data corruption may result
  • Can only be implemented during a customers secondary service window
  • These changes include application hot-fixes, security updates and patches. All aspects of the change are required in write-up, must be done during secondary window, not primary, unless emergency or requested by customer

Change Risk:  High and Emergency Risk

High Risk

  • Impacts one or more functional groups, requires coordination of the change
  • If the change fails more than one customer will be affected
    • Note: this is a consideration for shared environments
  • Requires approval from customer and an internal manager (s)
  • Requires announcement of change
  • Can only be implemented during a common secondary service window

Emergency Risk

  • Must be performed to mitigate other, more significant risk
  • May be performed if the customer system is down or in a degraded state
  • May be performed if there is danger of an imminent failure
  • Requires approval from customer and an internal approver – in advance if possible or after the change is made

Change Risk:  Maintenance and Support

Maintenance and Support

  • Does not impact data and has minimal risk of an outage
  • Documented instructions for completing the task exist
  • Requires proper authorization from internal or customer rep (can be a primary user)
  • Does not require internal approval process because it has been preapproved
  • Include
    • Application configuration setting adjustments made in the interface of the App
    • User provisioning and maintenance
    • New system provisioning
    • Reboots performed during secondary service windows
    • See list of preapproved Maintenance and support services