Change management policy

To avoid potential security incidents, Vihanti requires change management controls to ensure only authorized changes are made to its environment and processes.

Environment

Code changes

Changes to code in Vihanti’s environment made by an employee or contractor must be reviewed and approved by another employee prior to being merged and rolled out.

Exceptionally, employees can push changes without a review where they are required to mitigate an incident.

Dependencies

Dependencies can be updated without requiring a separate reviewer.

Documentation

Documentation can be updated without requiring a separate reviewer.

Infrastructure changes

Employees should notify others prior to making changes to Vihanti’s infrastructure. Where infrastructure is codified and uses a deployment tool, infrastructure changes should be approved by another employee prior to being deployed.

Customer accounts

Vihanti may make changes to customers’ networks and accounts at their request. Changes are initiated by customer support tickets.

Vihanti may also make changes to customer environments without the customer initiating the request, such as when required by law or due to an urgent security issue.

Security policies

Security policies must have a change log to allow auditing of past changes, including when and by whom these changes were made. Vihanti stores these security policies in GitLab and uses git to track changes.

Vihanti will review and evaluate its security policies, adapt them as needed due to changing risks, and validate if the implemented information security continuity controls are sufficient on a quarterly basis.