Change management in Pega Cloud Services
This article is part of the Pega Cloud Services Subscription Documentation.
Pegasystems provides comprehensive change management for Pega Cloud Services environments. Changes are efficiently and securely planned, reviewed, tested, implemented, and validated.
Pega is responsible for managing all changes to the Pega Cloud Services environments, which include the underlying cloud infrastructure, Pega Platform, and Pega applications. Changes to applications that are layered on top are the client's responsibility. Client-built applications must conform to established Pega Platform best practices and Guardrail Compliance instructions that are posted on Pega Community and provided in the Pega Platform Designer Studio.
To request a Pega Cloud Services environment change, a client should submit a Support Request (SR) of the type Change Request through My Support Portal (available 24 hours a day, seven days a week) and provide all relevant change plan information, materials, and supporting documentation. Each SR must include a complete description of the change, a change plan with at least one task, and proposed start and end dates, times, and time zone. No changes can be made that are not explicitly requested in the SR. For information about additional client responsibilities pertaining to client requests to change access levels, data, or the platform, see Access, data, and platform changes.
After the SR is submitted, the status and progress of the requested change is visible within My Support Portal until the requested change has been implemented and confirmed to be working satisfactorily. All approved change requests are coordinated and scheduled with the requestor to ensure that there is minimal impact to the Pega Cloud Services environment.
Change requests should only be submitted for activities that the client cannot perform through the Pega Platform Designer Studio. For example, RAPs containing rules, classes, data, and so on, can be created and easily imported to a Pega Cloud Services environment by clients without the assistance of Pegasystems. Changes required for the proper operation of cloud environments or applications (configuration file changes, Pega software upgrades, and so on) require SR submission.
The individual tasks in an SR change request are divided into the following two categories:
- Standard – Change tasks in the Standard category represent low-risk changes for which Standard Operating Procedures (SOPs) exist. Tasks in this category are specific, concrete, and pose little or no information security or compliance risks.
- Significant – Change tasks in the Significant category represent higher risk changes. Tasks in this category are further divided into subcategories: Access changes, Data changes, and Platform changes. For more information about client responsibilities pertaining to client requests to change access levels, data, or the platform, see Access, data, and platform changes.
To ensure that changes to production environments conform to security, compliance, and quality controls, change requests that include one or more Significant change tasks for these live environments must be approved by the Pega Cloud Services Change Advisory Board. Production change requests that include only Standard change tasks do not require Change Advisory Board review.
The Change Advisory Board meets three times weekly, on Monday, Wednesday, and Friday mornings (Eastern Time), and includes Security, Compliance, and Operations representatives. The Change Advisory Board reviews all Significant production changes from baseline (before and after "Go live") to ensure that Pegasystems does not introduce security issues, performance problems, unapproved configurations, compliance deviations, non-standard features, or capabilities that are not listed in the Pega Cloud Services Guide. No changes can be made that would alter security controls or violate industry and government compliance regulations.
All production environment change requests that include one or more Significant change tasks, except emergency change requests, require:
- A minimum of 72-hours advance notice
- A description of the change to be made
- A completed Change Plan that details all of the required tasks
- Non-production environment implementation reference SR and test results
- Requested start and end dates, times, and time zone for the change to be implemented
The Change Advisory Board may deny a requested change because of security, operations, compliance, or other business reasons including, but not limited to, restrictions outlined by the Pega Cloud Services Guide. A denial reason for a change request will be recorded in the SR as well as alternative options (when available) and/or additional instructions or questions. Pega Cloud Services clients can appeal denied change requests by resubmitting the SR with additional justification or by confirming that remediation steps were taken as recommended in the original denial notice.
To protect the security of Pega Cloud Services client information in production environments, Pegasystems requires written authorization from a Client Security Officer for access level changes, data changes, and platform changes. Additionally, Pegasystems may require a signed liability release form for requests to directly access a production database, or to copy production data to a non-production environment.
- Access changes – Access level changes include requests to modify the authentication or authorization facilities of the environment, and other changes to access security files, such as certificates, ciphers, and network configuration files.
- Data changes – Data changes include requests to modify (update, delete, drop, or truncate) production data, and requests to copy, extract, or transmit production data in any way that could compromise data security.
- Platform changes – Platform changes include requests to modify files or folders in the Pega Cloud Services environment, change platform configuration (for example, storage, memory, or kernel parameters), and any requests to install or change software that is not a part of the Pega Cloud Services Guide.
Change requests for non-production environments (for example, development, test, staging, user acceptance testing, and so on) are not reviewed by the Change Advisory Board, because they do not require compliance or security impact analysis; however, they require a full change plan and a description of the change to be made.
For a service outage or other critical change to a production environment that includes one or more Significant change tasks and requires an immediate response that cannot wait for Change Advisory Board review, 72-hour advance notice and lower environment (non-production environment) testing is not required.
Emergency changes have associated risks because of the reduced time and scope of the compliance and security review that can be performed.
Requests for an emergency change must be authorized by a Pega Cloud Services Change Manager upon confirmation of a justifiable emergency. For authorization, an emergency change request must include the following information:
- Required change plan details
- Declaration that the request is an emergency
- Justification for (nature of) the emergency change
- Name and title of the client contact requesting the emergency change
- Requested start date and time to implement the emergency change
Change Advisory Board review of emergency change requests is conducted after implementation and validation of emergency changes. If a post-fulfillment Change Advisory Board review determines that an emergency change violates security controls, or industry or government compliance regulations, the client is notified and the change will be rolled back. Additional information about the denial reason for the change request is added to the SR.
To change the terms of a Pega Cloud Services subscription (for example, to add a new Strategic Application to the configuration), please contact a Pega Account Executive.