5.1.1.6.1 Documented change management process that identifies changes to critical processes that potentially affect the repository’s ability to comply
The repository shall have a documented change management process that identifies changes to critical processes that potentially affect the repository’s ability to comply with its mandatory responsibilities.
This is necessary in order to ensure that the repository can specify not only the current processes, but the prior processes that were applied to the repository holdings.
Documentation of change management process; assessment of risk associated with a process change; analysis of the expected impact of a process change; comparison of logs of actual changes to processes versus associated analyses of their impact and criticality.
Examples of this would include changes to processes for data management, access, archival storage, ingest, and security. The really important thing is to be able to know what changes were made and when they were made. Traceability makes it possible to understand what was affected by particular changes to the systems. If unintended consequences are later discovered, then having this record may make it possible to reverse the changes or at least to document the changes that were introduced. Change management is a component of the broader topic of configuration management described by ISO 10007:2003 which includes configuration management planning, configuration identification, change control, configuration status accounting and configuration audit. Configuration Management efforts should result in a complete audit trail of decisions and design modifications.
APTrust has multiple methods in which changes are tracked, managed, and assessed for risks.
All code is hosted in git code repos with versioning capability and logs of code changes. Currently this is a combination of GitHub and GitLab. The ability to track changes and roll back changes is currently possible.
Next, CloudFormation and Ansible are both used for building and configuring the entire infrastructure and deploying the hosted containers with the applications. This is known as Infrastructure as Code (IaC), and changes can be tracked as part of the git repos. ( All IaC is hosted in the git repos as well.) AWS provides a tool to monitor changes to resources and the impacts before deploying the change.
APTrust uses a ticketing system known as Trello, where all work is to be tracked and changes documented. It is a combination of Agile and Kanban methodology. Changes and risks are analyzed, with results and impacts from testing and deployment documented. Because APTrust has a full Staging environment, it is possible to completely test all changes.
AWS’ CloudTraill logs all API calls and Console activities, indicating when changes are made to the infrastructure, identities and other critical items in a detailed audit log. These logs show time, resource, and systems changes, and the entity that made the change. The log includes the last 7 days of API activity for supported services, but is archived in an S3 bucket for future auditing purposes.
Parameter Store on AWS is now the primary credential repository for APTrust applications, and provides versioning control, as well as identifying what entity made any changes.