LinkedIn
Copied!

Table of Contents

The Change Management process in Pega Cloud Services environments

Pega Cloud Services provides comprehensive change management for your Pega Cloud environments. Pega Cloud Services efficiently and securely plans, reviews, tests, implements, and validates your requested changes.

Responsibilities

Pegasystems manages all changes to the Pega Cloud Services environments, which includes the underlying cloud infrastructure and patches to Pega-licensed products. You are responsible for the top-layer applications, and must conform them to the established Pega Platform best practice and Guardrail Compliance instructions.

For more information, see the Guardrails landing page.

For more information about client responsibilities pertaining to client requests to change access levels, data, or the platform, see the Access, data, and platform changes section below.

Requesting changes

To request a Pega Cloud Services environment change, make a request by selecting New request in My Support Portal. Select For something I need, then select Cloud Change.

In this change request, provide the following items:

  • All relevant change plan information
    • Complete description of the change
    • Change plan with at least one task for the Pega Cloud Services team
  • Materials
  • Supporting documentation
  • Proposed start and end dates, times, and time zones for the change

Pega Cloud Services cannot make a change unless the changes is explicitly mentioned in the request.

You cannot request to move your customer data or other client-confidential information into a non-Production environment.

When submitting a Cloud Change request via My Support Portal, you must anticipate a minimum of two hours notice before requiring the change. If a Cloud Change is needed sooner - due to downtime in the environment related to a Severity 1 ticket - please call the Pegasystems Support for assistance from a representative.

After you submit the request, you can view the status and progress of the requested change within My Support Portal until its implementation is confirmed to work satisfactorily. Pega Cloud Services coordinates and schedules all approved change requests with the client to ensure minimal impact their Pega Cloud Services environment.

You should only submit change requests for activities that you cannot otherwise perform through the Dev Studio. For example, you can create and import RAP files that contain rules, classes, data, etc without Pega assistance. For Pega software upgrades and other changes required for the proper operation of cloud environments submit a request to My Support Portal.

If you have change requests for multiple environments, please submit a separate request for each environment.

Change categories

The individual tasks in a change request are divided into the following two categories:

  • Standard: Low-risk changes that are specific, concrete, and pose little information security or compliance risk.
  • Significant: Higher-risk changes that require review by the Pega Cloud Change Advisory Board.

    Tasks in this category are further subdivided into the following categories:

    • Access changes
    • Data changes
    • Platform changes

    For more information about client responsibilities pertaining to client requests to change access levels, data, or the platform, see the Access, data, and platform changes section below.

Production changes

To ensure that changes to production environments conform to security, compliance, and quality controls, change requests that include one or more Significant-category change tasks to live environments must be approved by the Pega Cloud Change Advisory Board for security and business-risk purposes. Production change requests that include only Standard change tasks do not require Pega Cloud Change Advisory Board review.

Pega Cloud Change Advisory Board, which includes Security, Compliance, and Operations representatives, meets three times weekly on Monday, Wednesday, and Friday mornings on Eastern Time. The Pega Cloud Change Advisory Board reviews all significant production changes from baseline, both before and after "go live," so that Pega does not introduce security issues, performance problems, unapproved configurations, compliance deviations, or non-standard features. Pega Cloud Services cannot make a change that alters security control or violate industry and government compliance regulations.

All production environment change request that include one or more Significant-category change tasks, with the exception of Emergency change requests (see section below), require the following items:

  • A minimum of 72-hour advanced notice
  • A description of the change
  • A completed Change Plan that details all of the required tasks
  • A reference request for the change in the lower (non-production) environment
  • Test results for full testing of the change in the lower (non-production) environment
  • Requested start and end dates, times, and time zone for the requested change
For production environments, the requested change can only be made during your specified maintenance window.

When you request a change, you must provide the above information in your request. If Pega is making the change for maintenance reasons, Pega Cloud Services will create the request and include the above information.

Pega Cloud Change Advisory Board may deny a requested change due to security, operations compliance, or other business reasons including, but not limited to, restrictions outlined by the Pega Cloud Services Subscription documentation. Pega Cloud Services will include the reason for denial in the request, as well as alternative options (when available) and additional instructions or questions.

You can appeal denied change request by resubmitting the request with additional justification, or by confirming you took remediated steps as recommended.

Access, data, and platform changes

To protect the security of Pega Cloud Services client information in production environments, Pega requires written authorization from your Client Security Contact for access level changes, data changes, and platform changes. This written authorization must provide all the details necessary to implement the change; you must make the authorization specific to one request only and provide it to Pega Cloud Services through email, document, or letter. Pega Cloud Services attaches the authorization to the Change Requested as an audited record of the request. Additionally, Pega may required a signed liability release form fro requests to directly access a production database.

  • Access changes: Access level changes include requests to modify the authentication or authorization facilities of the environment, and other changes to access security files, such as certificates, ciphers, and network configuration files.
  • Data changes: Data changes include requests to modify (update, delete, drop, truncate) production data, and requests to copy, extract, or transmit production data in any way that could compromise data security.
    You cannot request to move your customer data or other client-confidential information in a non-Production environment.
  • Platform changes: Platform changes include requests to modify files or folders in the Pega Cloud Services environment, change platform configurations (for example, kernel parameters, or services, and any requests to install or change software that is not part of Pega Cloud Services.

Non-production changes

Change requests for non-production environments (for example, development, test, staging, user acceptance testing, etc) are not reviewed by the Pega Cloud Change Advisory Board, because they do not require compliance or security impact analysis; however, they require a full change plan and a description of the change to be made.

Emergency changes

For a service outage or other critical change to a production environment that includes one or more Significant-category change tasks and requires a response that cannot wait for the Pega Cloud Change Advisory Board, the 72-hour advanced notice and lower environment (non-production environment) testing is not required.

Emergency changes contain associated risks due to the reduced time and scope of the compliance and security review that can be performed.

The Pega Cloud Change Advisory Board must authorized requests for an emergency change upon confirmation of a justifiable emergency. For authorization, an emergency change must include the following information:

  • Required change plan details
  • Declaration that the request is an emergency
  • Justification for the emergency change
  • Name and title of the client contact requesting the emergency change
  • Requested start date and time to implement the emergency change

The Pega Cloud Change Advisory Board conducts requests after implementation and validation of emergency changes. If a post-fulfillment Pega Cloud Change Advisory Board review determines that an emergency change violates security controls, or an industry or government compliance regulation, Pega Cloud Services notifies you and rolls back the changes. Additional information about the denial reason for the change request is added to the request.

Subscription changes

To change the terms of a Pega Cloud Services subscription, such as adding a new Strategic Application to the configuration, please contact a Pega Account Executive.

Suggest Edit

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.