graphgrc

OPS-01: Change Management

Objective

Minimize risk from production changes through controlled processes.

Description

Changes to production systems follow a defined process. Changes are reviewed, tested, and approved. Emergency changes are documented after the fact. Rollback procedures are in place.

Implementation Details

Change Process: All production changes require GitHub pull request with peer review. Terraform changes require approval from senior engineer.

Testing: Changes deployed to staging environment first. Automated tests must pass. Manual QA sign-off for risky changes.

Change Window: Standard changes deployed during business hours. High-risk changes during maintenance window with customer notice.

Emergency Changes: Allowed for critical security/availability issues. Post-mortem required within 48 hours.

Examples

• All infrastructure changes require Terraform PR with two approvals
• Application deployed to staging, passes automated tests, then promoted to production
• Database schema change tested in staging, deployed during maintenance window
• Emergency patch deployed for critical vulnerability, post-mortem completed next day

Audit Evidence

• Change management procedure
• GitHub pull request history showing reviews and approvals
• Deployment logs with timestamps
• Emergency change post-mortems

---

Framework Mapping

SOC 2

• CC8.1 ^[Change management process implements changes with review, testing, and approval to mitigate processing integrity risks]

GDPR

• Article 32 ^[Controlled change management ensures ongoing security and prevents unauthorized changes affecting personal data processing]

---

Referenced By

This section is automatically generated by make generate-backlinks. Do not edit manually.

Standards:

• GitHub Security Standard ^[Branch protection on main, require PR reviews, no force pushes, status checks required]

Processes:

• Change Management Process ^[8-step process: proposal, automated testing, peer review, security review, staging deployment, production deployment, verification, rollback]

Policies:

• Engineering Security Policy ^[Requires peer review (minimum 1 approval), security review for sensitive changes, automated testing before merge]

This site is open source. Improve this page.