IS Change Control Methodology (Download PDF Version) Table of Contents [MSC Client's] change control methodology should provide for user department involvement in identifying the general nature and scope of a system development or maintenance project. The information requirements to be satisfied by the new or modified system should be defined carefully in written form and the development of a proposed system should be approved before the development process begins. Project Definition - The [MSC Client's] change control methodology should provide for creation of a clearly stated written definition of the nature and scope of every system development project before project work begins. User Department Participation in Project Initiation – The [MSC Client's] change control methodology should provide for participation by the affected user department management in the definition and authorization of an information system development or modification project. Project Team Membership and Responsibilities - The [MSC Client's] change control methodology should specify the basis for assigning individual staff members to project team membership and define the responsibilities of the various team members. Definition of Information Requirements - The [MSC Client's] change control methodology should provide that the information needs to be satisfied by the existing and the proposed new or modified system should be defined clearly before a development or modification project is approved. Project Approval - The [MSC Client's] change control methodology should provide for the approval by designated members of management of the work done in each phase of the cycle before work on the next phase begins. [MSC Client's] change control methodology should provide, for each proposed project, that a technological feasibility study be prepared in which alternative means for reaching the project’s goals are formulated along with a cost-benefit analysis of each alternative being considered. Among the issues to be considered are the possibility of a null alternative and the feasibility of a make or buy decision. If a decision is made to proceed with work on the proposed project, a project master plan should be issued in writing. Formulation of Alternative Courses of Action - The [MSC Client's] change control methodology should provide for the analysis of the alternative courses of action that will satisfy the information requirements established for a proposed new or modified information system. Technology Feasibility Study - The [MSC Client's] change control methodology should provide for an examination of the technological feasibility of each alternative for satisfying the information requirements established for the development of a proposed new or modified information system. Economic Feasibility Study - The [MSC Client's] change control methodology should provide, in each proposed information system development or modification project, for an analysis of the costs and benefits associated with each alternative being considered for satisfying the information requirements established for the project. Risk Analysis Report - The [MSC Client's] change control methodology should provide, in each proposed information system development or modification project, for an analysis of the security risks, internal controls needed, and the feasible safeguards for reducing or eliminating the vulnerabilities. Project Approval - The [MSC Client's] change control methodology should provide, in each proposed information system development or modification project, for the [MSC Client's] senior management to review the reports of the relevant feasibility studies, its decision on whether to recommend the project, and its identification of one of the alternatives examined in these studies as a basis for the project team’s work. The life cycle methodology is an integral part of project management standards. Project Master Plan - The [MSC Client's] change control methodology should provide, for each approved project, that a project master plan be created which is adequate for maintaining control over the project throughout its life. Cost Monitoring - The [MSC Client's] change control methodology should provide, for each approved information system development or modification project, that a project master plan be created which includes a method of monitoring the costs incurred throughout the life of the project. The [MSC Client's] change control methodology should provide, for each information system development or modification project, that the system requirements are incorporated adequately into the specifications for the design of the system. A design methodology should be used to structure the development of input, output, file, and processing specifications which describe the physical solution to the system requirements. This design methodology also should be used to specify the source documents, control mechanisms, security features, and audit trails to be included in the system. Design Methodology - The [MSC Client's] change control methodology should provide that an appropriate procedure be selected for creating the design specifications for each information system development or modification project. Output Requirements Definition and Documentation – The [MSC Client's] change control methodology should provide that an appropriate procedure be selected for creating the output requirements for each information system development or modification project. Input Requirement Definition and Documentation – The [MSC Client's] change control methodology should provide that an appropriate procedure be selected for creating the input requirements for each information system development or modification project. File Requirement Definition and Documentation - The [MSC Client's] change control methodology should provide that an appropriate procedure be selected for defining the file format and organization requirements for each information system development or modification project. Processing Requirement Definition and Documentation – The [MSC Client's] change control methodology should provide that an appropriate procedure be selected for defining the data processing step requirements for each information system development or modification project. Program Specifications - The [MSC Client's] change control methodology should require that detailed written program specifications be prepared for each information system development or modification project. Source Data Collection Design - The [MSC Client's] change control methodology should require that adequate mechanisms for the entry of information be specified for each information system development or modification project. Controls and Security Design - The [MSC Client's] change control methodology should require that adequate mechanisms for assuring the integrity of the data stored and processed by an information system and for safeguarding the systems resources be specified for each information system development or modification project. Audit Trails Design - The [MSC Client's] change control methodology should require that adequate mechanisms for audit trails be specified for each information system development or modification project. Design Approval - The [MSC Client's] change control methodology should require that the design specifications for all information system development or modification projects be reviewed and approved by the management of the IT function, the affected user departments, the [MSC Client's] senior management, and Information Technology Office for Executive Branch approval, when appropriate. Program Documentation Standards - The [MSC Client's] change control methodology should incorporate standards for program documentation that have been approved by the IT function planning or steering committee, communicated to the staff of the IT function, and enforced to ensure that documentation created during information system development or modification projects conforms to these standards. Validation, Verification, and Test Plan - The [MSC Client's] change control methodology should require that a validation, verification, and test plan be created for each information system development or modification project. [MSC Client's] change control methodology should provide, for each information system development or modification project, that the programming objectives should be established for the project and responsibilities for the actual programming be assigned, the system manuals be prepared, the program and system testing standards be defined, the system validation and acceptance criteria be created, and the acceptance of the system by the management of the affected user departments be secured. Programming Objectives - The [MSC Client's] change control methodology should require that a written statement of the programming objectives to be realized be created for every information system development or modification project. Program Narrative Description - The [MSC Client's] change control methodology should require that a written narrative of the programming logic employed within the project, be created for every information system development or modification project. Application Software Packages - The [MSC Client's] change control methodology should require that the availability be determined for commercial software packages that satisfy the needs of a particular information system development or modification project. The commercial software packages should be compatible with existing IT function operations before the IT function’s staff is assigned to do any programming related to these projects. Software product acquisition procedures should follow the [MSC Client's] procurement policies, and these products should be tested and reviewed prior to their being used and paid for. Contract Application Programming - The [MSC Client's] change control methodology should provide that the procurement of contract programming services be justified with a written request for service from a project manager. (The end products of completed contract programming services should be tested and reviewed by the IT function’s quality assurance group before payment for the work and the end product of it is authorized). Operations and Maintenance Manual - The [MSC Client's] change control methodology should provide that adequate operations and maintenance manuals be prepared as a part of every information system development or modification project. User Manual - The [MSC Client's] change control methodology should require that adequate user manuals be prepared as a part of every information system development or modification project. Training Plan - The [MSC Client's] change control methodology should require that adequate plans for training the staff of the affected user departments and the IT functions operations and maintenance groups be prepared as a part of every information system development or modification project. Program Testing Standards - The [MSC Client's] change control methodology should provide standards for the testing and implementation of the software created as a part of every information system development or modification project. System Testing Standards - The [MSC Client's] change control methodology should provide standards for the testing of the system itself as a part of every information system development or modification project. System Testing Documentation - The [MSC Client's] change control methodology should provide, as a part of every information system development or modification project that the results of testing of the system are included in the written record of the project team’s activities. Evaluation of Test Results - The [MSC Client's] change control methodology should provide, as a part of every information system development or modification project, that the results of testing of the system be evaluated and approved by the management of the affected user departments and the IT function. Conversion Plan - The [MSC Client's] change control methodology should provide, as a part of every information system development or modification project, that a plan be developed for converting the system from development to production. Parallel Testing - The [MSC Client's] change control methodology should define the circumstances under which a parallel testing of both existing and new systems will be conducted and should specify the criteria for terminating the testing process. Final Acceptance Test - The [MSC Client's] change control methodology should provide, as a part of the final acceptance of quality assurance testing of every information system development or modification project, for an evaluation of the test results by the management of the affected user departments and the IT function. The [MSC Client's] change control methodology should provide, as a part of every information system development or modification project, that operation and maintenance procedures be established that assure that data is processed consistently and accurately and that system content will be modified only with proper authorization. Operations Control Procedures - The [MSC Client's] change control methodology should provide, as a part of every information system development or modification project, that adequate procedures have been installed for controlling the data processing activities. Cost Monitoring - The [MSC Client's] accounting system routinely should record, analyze, and report the costs associated with the operation of a new/changed information system. System Modifications - The [MSC Client's] change control methodology should establish procedures for monitoring and controlling changes to all operational information systems. Re-evaluation of User Requirements - The [MSC Client's] change control methodology should provide for the periodic review of the user requirements for specific information systems to determine whether and how those requirements may have changed. [MSC Client's] change control methodology should provide for a comprehensive review, after the information system has been implemented, of each development or modification project to assure that the effort produced a system that meets user needs and stated objectives, is realizing anticipated benefits, and adheres to the requirements of the methodology. Post-implementation Review Plan - The [MSC Client's] change control methodology should provide, as an integral part of the project team’s activities, for the development of a plan for a post-implementation review of every new or modified information system. Results Evaluation - The [MSC Client's] change control methodology should require that a post-implementation review of an operational information system assess whether that system’s objectives are being achieved. Evaluation of Meeting User Requirements - The [MSC Client's] change control methodology should require that a post-implementation review of an operational information system assess whether that user’s needs are being achieved by the system. Evaluation of Cost-benefit Analysis - The [MSC Client's] change control methodology should require that a post-implementation review of an operational information system assess whether the system’s cost effectiveness conforms to the original costs and benefits projected for it. Evaluation of Adherence to Development Standards – The [MSC Client's] change control methodology should require that a post-implementation review of an operational information system assess whether the project team adhered to the provision of the methodology. Reporting Post-Implementation Review Findings - The [MSC Client's] change control methodology should require that the results of a post-implementation review of an operational information system be submitted to the management of the user departments affected by the system and to the management of the [MSC Client's] IT function.    | 
