Emergency modifications are periodically needed to correct software problems or restore processing operations quickly. Although the changes must be completed quickly, they should also be implemented in a well-controlled manner.
Emergency change standards should include procedures similar to those for routine change controls. However, the standards should include abbreviated change request, evaluation, and approval procedures to ensure changes are made quickly. The standards should be designed to ensure management completes detailed evaluations and documentation of emergency changes as soon as possible after implementation.
Whenever possible, emergency changes should be tested prior to implementation. If management is unable to thoroughly test emergency modifications before installation, it is critical that they appropriately backup files and programs and have established back-out procedures in place.
Appropriate backups, established back-out procedures, and detailed documentation enhance management's ability to reverse changes if they cause system disruptions. Detailed documentation also enhances management's ability to analyze the impact of any changes during post-change evaluations. At a minimum, emergency change procedures should require:
- Pre-change reviews and authorizations;
- Pre-change testing (in segregated testing environments);
- Backup/backout procedures;
- Documentation that includes:
- Descriptions of a change;
- Reasons for implementing or rejecting a proposed change;
- The name of the individual who made the change;
- A copy of the changed code;
- The date and time a change was made; and;
- Post-change evaluations.