LOS ANGELES COUNTY
DEPARTMENT OF MENTAL HEALTH
  Policy 1200.06 Systems Change Control
 
Policy Category:  Administrative
Distribution Level:  Directly Operated
Responsible Party:  Chief Information Office
 
Approved by TaNeisha Franklin, ASM III, on March 31, 2021
 
I.  PURPOSE
 
To provide Department of Mental Health (DMH) staff with policy regarding the protection of Los Angeles County information, data, and information processing resources for system maintenance and enhancement requests.

To establish uniform guidelines in the prevention of fraud, embezzlement, and other abuses that take advantage of an individual’s restricted access to the mental health systems in a production environment.

To specify standards in the protection of mental health data and information from loss, unauthorized use, modification, disclosure, or reproduction and to ensure the implementation and promotion of compliance with controls, standards, and procedures.
 
II.  DEFINITION
 
No definitions are associated with this policy.
 
III.  POLICY
 
All computer systems used for production processing shall employ a formal change control procedure to ensure that only authorized changes are made.

Change control procedure shall be used for all significant changes to software, hardware, and communications links.
  • Before development (programming or configuration) of a system is authorized, management shall review documentation that the system design satisfies user/manager requirements and incorporates control requirements. Documentation shall be available for examination.
     
  • Written approval from Chief Information Office (CIO) Management and system owners shall be provided before production processing. In some instances, the user/manager may be at the level of Program Head or above.
     
  • Documentation reflecting all significant changes to production, computer, and communications systems shall be prepared within a week from the time that a change took place including the proposed change, management approval, and the way in which the change was performed. Requests to make an emergency change shall be done immediately with authorization.
     
  • For each system, a systems control procedure shall be developed to ensure that all appropriate safeguards are incorporated into the system, tested before implementation, and tested periodically after implementation.
     
  • Periodic reviews of production operating systems shall be conducted to ensure that only authorized changes have been made. 
For security measures, whenever a computer-based process involves sensitive, valuable, or critical information, the system shall include controls involving the separation of duties or other compensation control measures. No one individual shall have exclusive control over this type of information assets.
  • Separation of duties shall be applied to all development and modification of programs.
     
  • All tasks involving sensitive, valuable, or critical information shall require at least two systems analysts and/or programmers from beginning to end to coordinate transactions.
     
  • All transactions shall be reviewed and approved by the CIO Division Chief, Systems Management, CIO Security Administrator, and, in some instances, the user/manager.
     
  • No employee has the authority to approve his/her own work under any circumstances.
     
  • If the procurement of third party software is being considered, management shall obtain a written integrity statement from the involved vendor. This statement shall provide assurances that the software in question does not contain undocumented features or hidden mechanisms that could be used to compromise the software’s security and will not require modification or abandonment of controls found in the operating system under which it runs.
     
  • Prior to being placed into production use, each new or significantly modified/enhanced business application system shall include a brief security impact statement that has been prepared according to standard procedures.
     
  • DMH uses access controls and other security measures to protect the confidentiality, integrity, and availability of the information handled by computers and communications systems. Individuals who violate this policy shall be subject to disciplinary action, including suspension, discharge from County service, termination of agreements, denial of service, and/or criminal and civil prosecution.
IV.  PROCEDURES
 
Procedures - Systems Change Control
 
V.  AUTHORITY
 
VI.  ATTACHMENT
 
No attachments are associated with this policy.