Business Technology Change Management covers changes to System settings in addition to Process and Policy changes. The Business Technology Change Management (CM) process at GitLab provides a framework for the thorough documentation, testing, and evaluation of proposed changes to the Business Technology systems. The CM process mitigates risk to production applications that could threaten the stability, resiliency, security, data availability, integrity, and regulatory compliance.
This handbook page defines the steps necessary to implement and maintain CM processes to ensure changes are planned, documented, reviewed, and approved in a controlled manner.
Making a user- or group-level change doesn't require a Business Technology change request. For example, if your team decides to make a change to one of your team's group settings on GitLab.com, a Business Technology change request isn't required. However, if you decide to make a change to a configuration or setting for GitLab.com globally, that requires a change request. Another example is Google Drive. If you decide to make a change to one of your team's Google Drive folders, no Business Technology change request is required. But if you change the default sharing setting of all of Google Doc for GitLab, a Business Technology change request is required.
Additional examples include: If you are making a Process and/or Policy change that will impact only your team's process, a change management is not required. If you are making a Process and/or Policy change that will impact one or more other departments, a change management is required.
For additional information regarding Change Management, refer to our Change Management Workflow Control Guidance.
A Business Technology change request is only needed when a change is being requested for review for applications already listed in our tech stack.
There are many benefits from effective change management.
Outage prevention and reducing user impact
Helps ensure that changes are made with good planning
Change management is required as part of many regulations and is audited for effectiveness
Note This would be the final stage of scope. As the first iteration, we will need to scope this down more and implement phases to the scope.
Change Management process covers changes to systems across the Business Applications.
A few examples are listed below. These examples are not meant to be all encompassing.
|IT Compliance Team||Maintain a mechanism to intake and respond to Change Management Activities|
|Provide complete and accurate responses within documented SLA|
|Document and report any risks or trends identified during Change Management Activities|
|Business Requestor||Complete the Change Management issue|
|Work with the Technical Owner to document, test, and obtain approval(s) for change|
|Technical Owner||Work with the Business Requestor to ensure requested change is documented, tested, and approval(s) have been completed|
|Ensure Peer Review is completed prior to obtaining Business Approval|
|Peer Review||Review and ensure requested change has been documented and there are no undocumented downstream impacts|
|Business Owner||Review and provide approval prior to change being implemented|
A standard change is a pre-authorized change that is low risk, relatively common and follows a specified procedure or work instruction.
A comprehensive change is high risk, high impact, or has a more complex procedure.
An emergency change follows the same approval process as comprehensive.
|Peer Review||Peer Reviews are performed by a peer of the change Requestor or Developer and are intended to identify any potential issues with the planned change or change process. Note: The peer review process was established to mitigate the risk of the lack of segregation of duties between developer and implementer. The review provides comfort that changes to the production environment are valid.||Yes||Yes||Yes|
|Impacted Team(s) Management/Code Owner approval||Approval by Management that is responsible for the particular system||Yes||Yes||Yes|
|Business Approval||Approval by Impacted Team(s) Management approval that is responsible for the particular system or is impacted by the change.||No||Yes||Yes|
|Head of IT, Business||The Head of IT must approve all changes made during blackout periods||No||Yes||Yes*|
Blocked periods are established to ensure that BT system changes do not adversely affect quarter-end, or year-end closing processes for financially significant applications.
Their duration is typically established by the requirements of the Finance and Sales departments and not IT itself.
Significant Enterprise Applications* Last 14 calendar days and first 14** calendar days of each quarter
All other applications and/or tools Last 7 calendar days and first 7** calendar days of each quarter
All exceptions need Head of BT and Business approval
*Significant Enterprise Applications are: Coupa, Netsuite, Salesforce, Zuora
**Finance impacted systems.
Business Technology change requests are important because they help us track and manage the risk of making wide-reaching configuration and setting changes. All requests for Application, Process, and/or Policy changes are initiated by the requestor submitting a Business Technology Change Request issue.
To make a global configuration or settings change to a third-party application or service:
If during the Business Technology change request process it's decided team members should be notified of a change (for example, changing the default Google Doc sharing settings), please ensure that you communicate the change and its impact by posting in
If the change is approved and requires communication to team members, communicate the change, its rationale, and its impact.
Please note the change will always be implemented on a Tuesday following the change approval and communication. This will allow the ability and coverage should the change need to be backed out and re-reviewed.
If no communication is required or the change has been communicated already, make the change.
Exceptions to this procedure will be tracked as per the Information Security Policy Exception Management Process.