Skip to content

Change Management Policy

Version 1.0 | Classification: CONFIDENTIAL — Internal Use Only

Purpose

Establish mandatory requirements for the planning, approval, implementation, and documentation of all changes to GPUS-IT production infrastructure, ensuring stability, security, and auditability.

Scope

Applies to all GPUS-IT staff and contractors who make changes to production systems, including on-premises servers (SKY, RAIN, SUN, WIND), GCP cloud infrastructure, network devices, and backup systems.

Policy Requirements

All Changes

  1. Every production change must be logged in /var/log/asset-inventory.log on the affected server(s) with timestamp, description, and operator name.
  2. AIDE baseline must be updated immediately after any change that modifies files, packages, or configuration.
  3. DNSSEC zones must be re-signed after any DNS zone file modification.
  4. Changes must not be performed during business hours (08:00–18:00 local) unless classified as Emergency.

Normal Changes

  1. A change request must be documented before implementation, including: description, risk assessment, rollback plan, and test plan.
  2. Normal changes require approval from the IT Manager or designated delegate before proceeding.
  3. Minimum 24-hour notice is required before implementation.
  4. All Normal changes must be tested in a non-production environment where feasible.

Emergency Changes

  1. Emergency changes may be implemented immediately to restore a P1 or P2 service.
  2. Verbal approval from the IT Manager must be obtained before implementation, or immediately after if the IT Manager is unreachable.
  3. Full documentation must be completed within 2 hours of the emergency change.
  4. Emergency changes are reviewed at the next regular IT team meeting.

Standard Changes

  1. Standard changes are pre-approved and require no additional approval, provided they follow the documented template exactly.
  2. If a standard change deviates from its template in any way, it is reclassified as a Normal change.
  3. Standard change templates must be reviewed and re-approved annually.

Prohibited Practices

  • Making undocumented changes to production systems
  • Disabling AIDE, auditd, SELinux, or firewalld as part of any change
  • Performing Normal changes without IT Manager approval
  • Skipping the Post-Change Checklist

Enforcement

Violations of this policy are subject to access revocation and escalation to the IT Manager and CISO. The change log (/var/log/asset-inventory.log) and AIDE reports provide independent verification.

Review

This policy is reviewed annually by the IT Manager and Security Ops.

Policy · v1.1 · 2026-03-14 · GPUS-IT · Classification: CONFIDENTIAL — Internal Use Only