Change Management Policy

Veridian Corp — IT Change Control Standards

Document ID: CM-001

Version: 2.0

Effective Date: January 15, 2026

Owner: IT Operations Team

Approved By: Chief Technology Officer

Change Classification & Approval

All changes to production systems, infrastructure, or applications must go through the Change Advisory Board (CAB) approval process before implementation.

Standard changes (pre-approved, low risk) must be logged in the Change Management system within 24 hours of implementation.

Non-standard changes require a completed Change Request form submitted at least 5 business days before the planned implementation date.

Emergency changes must receive approval from the CISO or CTO within 2 hours; the change request must be retroactively completed within 24 hours.

Change Planning & Testing

All changes must include a documented rollback plan that has been reviewed and approved before the change is executed.

All production changes must be tested in a staging environment that mirrors production before CAB submission.

Change success metrics must be defined in the Change Request and verified within 24 hours of implementation.

Change Windows & Freeze Periods

Change windows for production systems are restricted to Tuesday–Thursday, 10 PM–4 AM local time unless emergency approval is obtained.

Change freeze periods apply during the last 5 business days of each calendar quarter; no non-emergency changes are permitted during freeze periods.

Post-Implementation Review

Post-implementation reviews are required for all Severity 1 and Severity 2 changes and must be completed within 48 hours of implementation.

Changes to FDA-validated systems (MasterControl QMS, device firmware deployment pipeline) require Quality Assurance sign-off in addition to CAB approval.

Software changes to FDA-cleared device firmware must follow SOP-SW-002 and may require regulatory assessment per FDA-COMP-001.

Change Classification Matrix

TypeDefinitionCAB RequiredLead TimeRollback RequiredExamples
StandardPre-approved, low risk, documented procedureNo — log only24h post-implementationNoPassword policy update, cert renewal
NormalMedium risk, planned maintenanceYes5 business daysYesDatabase upgrade, OS patch batch
MajorHigh risk, cross-system impactYes + CTO review10 business daysYes + testedNetwork segmentation change, ERP upgrade
EmergencyActive incident mitigationCISO/CTO within 2hImmediateYesRansomware containment, critical CVE patch
FDA ValidatedChanges to Part 11 / QMS systemsYes + QA sign-off10 business daysYes + revalidation planMasterControl upgrade, firmware OTA

Change Advisory Board (CAB) Members

RoleNameDepartmentVoting Member
CAB ChairJames OkonkwoIT OperationsYes
CISOMarcus WebbIT SecurityYes
CTOElena VasquezEngineeringYes
QA RepresentativeDr. Sarah KimQuality AssuranceYes
DPOLisa KimLegal / ComplianceAdvisory
Regulatory AffairsDr. Elena VasquezRegulatoryAdvisory

Recent Production Changes (2026 Q1 Log)

Change IDDescriptionTypeDateSystemsOutcomePIR
CHG-2026-0847Azure AD conditional access policy updateNormalJan 14Identity / SSOSuccessComplete
CHG-2026-0901MasterControl QMS patch v2026.1FDA ValidatedFeb 4QMSSuccessComplete
CHG-2026-0956VPM-4000 firmware OTA v4.2.2FDA ValidatedFeb 18Device fleetSuccessComplete
CHG-2026-1023Critical OpenSSL CVE patch — prod APIEmergencyMar 2API GatewaySuccessComplete
CHG-2026-1089CloudHealth data pipeline migrationMajorMar 15PHI platformScheduled