1. You are here:
2. Business Technology
3. Business Technology Change Management

On this page

• Business Technology Change Management
  • Purpose
    • Why Change Management is important
  • Scope
    • Criteria
  • Roles and Responsibilities
    • Change Request Types
    • Approval Matrix
  • Procedure
    • Blocked periods
    • Business Technology Change Request Workflow
    • Communication Changes
  • Exceptions
  • References

Business Technology Change Management

Purpose

Business Technology Change Management covers changes to System settings in addition to Process and Policy changes. The Business Technology Change Management (CM) process at GitLab provides a framework for the thorough documentation, testing, and evaluation of proposed changes to the Business Technology systems. The CM process mitigates risk to production applications that could threaten the stability, resiliency, security, data availability, integrity, and regulatory compliance.

This handbook page defines the steps necessary to implement and maintain CM processes to ensure changes are planned, documented, reviewed, and approved in a controlled manner.

Making a user- or group-level change doesn't require a Business Technology change request. For example, if your team decides to make a change to one of your team's group settings on GitLab.com, a Business Technology change request isn't required. However, if you decide to make a change to a configuration or setting for GitLab.com globally, that requires a change request. Another example is Google Drive. If you decide to make a change to one of your team's Google Drive folders, no Business Technology change request is required. But if you change the default sharing setting of all of Google Doc for GitLab, a Business Technology change request is required.

Additional examples include: If you are making a Process and/or Policy change that will impact only your team's process, a change management is not required. If you are making a Process and/or Policy change that will impact one or more other departments, a change management is required.

For additional information regarding Change Management, refer to our Change Management Workflow Control Guidance.

A Business Technology change request is only needed when a change is being requested for review for applications already listed in our tech stack.

Why Change Management is important

There are many benefits from effective change management.

Outage prevention and reducing user impact

• Preventing maintenance conflicts
• Peer review of changes to ensure change plan has no errors
• Ensuring that all parties that could be affected by a change are informed
• Ensuring that maintenance does not interfere with business processes and financial reporting

Helps ensure that changes are made with good planning

• Changes are made with a deployment plan, back out plan, and good criteria for testing to be sure that changes are completed as intended.
• Ensuring that only planned work is done with no additional changes.

Change management is required as part of many regulations and is audited for effectiveness

• Examples: SOX, ISO, and many others

Scope

Note This would be the final stage of scope. As the first iteration, we will need to scope this down more and implement phases to the scope.

Criteria

Change Management process covers changes to systems across the Business Applications.

• All changes to BT Systems
• Includes requests for program changes, system changes, system maintenance, and administration access
• Changes to data and data structures
• Controls provide reasonable assurance that system changes do not affect financial reporting

Examples

A few examples are listed below. These examples are not meant to be all encompassing.

• Changes to production business applications such as new application enhancements, upgrades, or defect resolution.
  • SFDC, Okta, Azure, Zoom
  • All changes impacting Financial (SOX) applications Netsuite, Zuora, and critical Enterprise Applications/systems.
• Other production systems like our enterprise data warehouse and integrations
• Implementing a new system policy for user access

Roles and Responsibilities

Role	Responsibility
IT Compliance Team	Maintain a mechanism to intake and respond to Change Management Activities
	Provide complete and accurate responses within documented SLA
	Document and report any risks or trends identified during Change Management Activities
	Maintain Metrics
Business Requestor	Complete the Change Management issue
	Work with the Technical Owner to document, test, and obtain approval(s) for change
Technical Owner	Work with the Business Requestor to ensure requested change is documented, tested, and approval(s) have been completed
	Ensure Peer Review is completed prior to obtaining Business Approval
Peer Review	Review and ensure requested change has been documented and there are no undocumented downstream impacts
Post Implementation Review	Review of the change in production after the change is made to ensure everything is working as expected
Business Owner	Review and provide approval prior to change being implemented

Change Request Types

Minor Change

A minor change is a low risk, well-understood change which does not require testing (such as with a record change, as opposed to a configuration change). Changes may be implemented directly in Production, have no financial impact, are related to general maintenance, and can be easily reversed.

• A minor change requires Manager Approval and Post-Implementation Review.

Standard

A standard change is a pre-authorized change that is low risk, relatively common and follows a specified procedure or work instruction.

• A standard change is one that is frequently implemented, has repeatable implementation steps, and has a proven history of success.
• Standard changes have to go through the change management process.
• They require a peer review, Impacted Team(s) Management (or Code Owner) approval, and post-implementation review.
  • Manager - prior to approving the change request, please ensure that the correct change request template is being used.

Comprehensive

A comprehensive change is high risk, high impact, or has a more complex procedure.

• All changes to financially significant applications also are considered comprehensive due to the type of systems that they affect and the potential impact that could occur if there is an issue.
• Infrastructure changes are also considered comprehensive.
• They require peer review, Impacted Team(s) Management approval (or Code Owner), Business Owner Approval, Head of IT Approval, and Post-Implementation Review.
  • Manager - prior to approving the change request, please ensure that the correct change request template is being used.

Emergency

An emergency change follows the same approval process as comprehensive.

• It can be entered for approval after the change has been implemented in production.
• Emergency changes are intended to be used only where there is an immediate critical need to correct an operational or security issue that is preventing users from working or transactions to not be processed or processed incorrectly.
• They require review and all approvals after the change has been implemented.

Approval Matrix

Approval Type	Description	Minor	Standard	Comprehensive	Emergency
Peer Review	Peer Reviews are performed by a peer of the change Requestor or Developer and are intended to identify any potential issues with the planned change or change process. Note: The peer review process was established to mitigate the risk of the lack of segregation of duties between developer and implementer. The review provides comfort that changes to the production environment are valid.	No	No	Yes	Yes
Post-Implementation Review	Performed by a peer of the change Requestor or Developer and are intended to ensure the change is working as expected after the change has been implemented in Production.	Yes	Yes	Yes	Yes
Impacted Team(s) Management/Code Owner approval	Approval by Management that is responsible for the particular system	Yes	Yes	Yes	Yes
Business Approval	Approval by Impacted Team(s) Management approval that is responsible for the particular system or is impacted by the change.	No	No	Yes	Yes
Head of IT, Business	The Head of IT must approve all changes made during blackout periods	No	No	Yes	Yes*

• (*) Refer to Emergency Change section under Change Request Types for approval requirement details.

Procedure

Blocked periods

Blocked periods are established to ensure that BT system changes do not adversely affect quarter-end, or year-end closing processes for financially significant applications.

Their duration is typically established by the requirements of the Finance and Sales departments and not IT itself.

Significant Enterprise Applications

• Quarter End Months (April, July, October, January): 2 weeks before and after the last day of the month.
• Month End Months (Non Quarter End Months): While we will have a heightened alert we will not black out on the end of Month 1 or Month 2 of the quarter.

All other applications and/or tools Last 7 calendar days and first 7** calendar days of each quarter

All exceptions need Head of BT and Business approval

*Significant Enterprise Applications are: Coupa, Netsuite, Salesforce, Zuora

**Finance impacted systems.

Business Technology Change Request Workflow

Business Technology change requests are important because they help us track and manage the risk of making wide-reaching configuration and setting changes. All requests for Application, Process, and/or Policy changes are initiated by the requestor submitting a Business Technology Change Request issue.

To make a global configuration or settings change to a third-party application or service:

• Create an issue in the Change Management project
• Dependent on the Change Type:
  • Standard Change: Will require Peer Review and Team Member Enablement Manager review and approval.
  • Comprehensive change: Will require Peer Review, Team Member Enablement Manager review, and A Change Advisory Board review and approval.
  • Emergency Change: Change can be completed prior to review and approval from the Change Advisory Board (CAB). Once the change has been implemented, the CAB will review during the next weekly CAB review.
    • A Change Advisory Board, consisting of:
      • Sr Director of Enterprise Applications
      • Sr Director of Data and Analytics
      • Team Member Enablement Manager
      • Head of IT
      • Legal (as needed)
    • IT will review the change request and engage Legal as needed. Additional participants will be included during weekly CAB reviews to include team members requesting change(s) and their managers.
• In the event a change request is not approved, IT will work with the individual submitting the change request to address any blockers/concerns.

Communication Changes

If during the Business Technology change request process it's decided team members should be notified of a change (for example, changing the default Google Doc sharing settings), please ensure that you communicate the change and its impact by posting in #whats-happening-at-gitlab.

If the change is approved and requires communication to team members, communicate the change, its rationale, and its impact.

Please note the change will always be implemented on a Tuesday following the change approval and communication. This will allow the ability and coverage should the change need to be backed out and re-reviewed.

If no communication is required or the change has been communicated already, make the change.

Exceptions

Exceptions to this procedure will be tracked as per the Information Security Policy Exception Management Process.

References