Skip to main content
All CollectionsData Transformation Office (DTO)Change Control Process
Change Control guidance - Service desk change types
Change Control guidance - Service desk change types

Guidelines to understand the MCB-GROUP Change control types

v
Written by vladimir.bonilla@mcb-bank.com
Updated over 4 months ago

Standard Changes (Business as usual) : These changes are created from pre-approved templates and are repeatable, routine tasks with no deviations. They are considered low risk and low impact.

Example: Business as usual tasks like routine software updates or regular maintenance tasks.

Approval: Standard Change require Line Manager Approval followed by the CAB approved predefined approvers.

Normal Changes (CAB) : These changes meet the defined lead time for testing and validation. They may involve single or multiple teams and can vary in risk level. All normal changes require authorization from the Change Advisory Board (CAB). The lead times for normal changes provide enough advance notice to present the requested changes to the CAB.

Example: Upgrading server hardware, implementing a new feature in a software application, New initiatives or projects.

Approval: These changes need Information Security, Technical, Business, and CAB committee

Expedited Changes: These changes must be approved or implemented outside of the normal change process or window but are not emergency changes. They follow an expedited process with much shorter lead times and require a reason for being expedited. These changes need approval from Information Security, Technical, Business, and CAB. It is the responsibility of the Change Owner (Requester) to shepherd the change through the approval process.

Example: Applying a critical security patch to prevent a potential threat or making urgent but non-critical updates to comply with new regulations.

Approval: These changes need CDO , DTO Management and CAB comitee (Expedited Changes Committee)

Applicability of Expedited changes :

  • A change that has been identified on Thursday and must be implemented the following day, Friday, prior to next CAB meeting.

  • External sources such as regulators or auditors

  • New requirements generated in response to Latent Changes by vendors, customers, or partners

  • New requirements generated in response to a recently implemented Change

  • Internal organizational or political changes.

Emergency Changes: These changes are used to restore service or fix a P1 Incident ("Critical service is down with customer and/or operational impact ") or P2 incident immediately (Critical systems are degraded with imminent impact for operations and/or customers) or in situations where the impact to a service is imminent if action is not taken. These changes do not follow the complete lifecycle of a normal change due to the speed with which they must be implemented and authorized. They are used to fix a one-time occurrence where system and/or customer impact is already present.

Example: Immediate restoration of a downed server, fixing a critical bug causing major service outages, or addressing a severe security breach.

Approval: This change can be approved by a member of the Emergency Change Committee (Emergency Changes Committee). The approval should be accompanied with a description and reason of the emergency.

Note: Emergency changes should always be communicated to CAB.

Related Articles
PCI DSS 4.0 Payment Card Industry Data Security Standard Summary
Change Control guidance - Standard Changes
Change Control guidance -How to fill a Change control within Service desk
Change Control Guidance - Change Advisory Board (CAB)
Change control guidance - Service Desk Change State
Did this answer your question?