LinkedIn
Copied!

Table of Contents

The Change Management process in Pega Cloud Services environments

Pega Cloud Services provides comprehensive change management for your Pega Cloud environments. Pega Cloud Services efficiently and securely plans, reviews, tests, implements, and validates your requested changes.

Responsibilities

Pegasystems manages all changes to the Pega Cloud Services environments, which includes the underlying cloud infrastructure and patches to Pega-licensed products. You are responsible for the top-layer application layer applications and must conform them to the established Pega Platform best practice and Guardrail Compliance instructions.

For more information, see Improving your compliance score.

For more information about client responsibilities pertaining to client requests to change access levels, data, or the platform, see the Access, data, and platform changes section below.

Requesting changes

To request a Pega Cloud Services environment change, make a request by selecting New request in My Support Portal. Select For something I need, then select Cloud Change. In this change request, provide the following items:
  • All relevant change plan information, including:
    • Complete description of the change
    • Change plan with at least one task for the Pega Cloud Services team
  • Materials
  • Supporting documentation
  • Proposed start and end dates, times, and time zones for the change

Pega Cloud Services cannot make a change unless the change is explicitly mentioned in the request.

Client requests to migrate your customer data or other client-confidential information into a non-Production environment are not supported and such requests will be automatically denied.

When submitting your Cloud Change request, you should provide a minimum of two hours notice for Pega Cloud Services to complete the change. If you require less time for a high priority change, the team will complete your request using a Severity 1 ticket and downtime will be required. For such high-priority changes, please call Pegasystems Support for assistance from a representative.

After you submit the request, you can view the status and progress of the requested change within My Support Portal until its implementation is confirmed to work satisfactorily. Pega Cloud Services coordinates and schedules all approved change requests with you to verify that the change has minimal impact to your Pega Cloud Services environment.

You should only submit change requests for activities that you cannot otherwise perform through the Dev Studio. For example, you can create and import RAP files that contain rules, classes, and data without Pega assistance. For Pega software upgrades and other changes required for the proper operation of cloud environments submit a request to My Support Portal.

If you have change requests for multiple environments, please submit a separate request for each environment.

Change categories

The individual tasks in a change request are divided into the following two categories:

  • Standard: Low-risk changes that are specific, concrete, and pose little information security or compliance risk.
  • Significant: Higher-risk changes that require review by the Pega Cloud Change Advisory Board.

    Tasks in this category are further subdivided into the following categories:

    • Access changes
    • Data changes
    • Platform changes

    For more information about client responsibilities pertaining to client requests to change access levels, data, or the platform, see the Access, data, and platform changes section below.

    Change request tasks can be classified as singular or non-singular. For singular tasks, you cannot add additional tasks to your change request.

Production changes

To make sure that changes to production environments conform to security, compliance, and quality controls, change requests that include one or more Significant-category change tasks to production environments must undergo technical review and be approved by the Pega Cloud Change Advisory Board (CAB) for security and business-risk purposes. Change requests for Standard change tasks do not require technical approval or CAB review.

For Significant change requests in production environments, Pega recommends that you test the change in a non-production environment (development or staging) before submitting the change request for the production environment. When submitting the production change request, provide the change request case ID from the test in the non-production environment. This best practice helps prevent untested and potentially harmful changes from being rolled out to production.

The CAB includes Security, Compliance, and Operations representatives; it meets three times weekly on Monday, Wednesday, and Friday mornings on Eastern Time. The CAB reviews all significant production changes from baseline, both before and after "Go live," so that Pega does not introduce security issues, performance problems, unapproved configurations, compliance deviations, or non-standard features. Pega Cloud Services cannot make a change that alters security control or violate industry and government compliance regulations.

All production environment change request that include one or more Significant-category change tasks, with the exception of Emergency change requests (see section below), require the following items:

  • A description of the change
  • A completed Change Plan that details all of the required tasks
  • A reference request for the change in the lower (non-production) environment
  • Test results for full testing of the change in the lower (non-production) environment
  • Requested start and end dates, times, and time zone for the requested change
For production environments, the requested change can only be made during your specified maintenance window.

When you request a change, you must provide the above information in your request. If Pega is making the change for maintenance reasons, Pega Cloud Services will create the request and include the above information.

Pega Cloud Change Advisory Board may deny a requested change due to security, operations compliance, or other business reasons including, but not limited to, restrictions outlined by the Pega Cloud Services Subscription documentation. Pega Cloud Services will include the reason for denial in the request, as well as alternative options (when available) and additional instructions or questions.

You can appeal denied change request by resubmitting the request with additional justification, or by confirming you took rectifying steps as recommended.

Withdrawing or rolling back change requests

You may withdraw a change request up to 30 minutes before its scheduled start time. To withdraw a change request, call Pegasystems Support or update a Pulse note in MSP before the implementation starts.

If the change request implementation has already started, you can request to roll back the change by calling Pegasystems Support or adding a Pulse note in MSP. After the change request has been implemented, it will remain open for 96 hours so that you may validate it if needed.

Access, data, and platform changes

To protect the security of Pega Cloud Services client information in production environments, Pega requires written authorization from your Client Security Contact for access level changes, data changes, and platform changes. This written authorization must provide all the details necessary to implement the change; you must make the authorization specific to one request only and provide it to Pega Cloud Services through email, document, or letter. Pega Cloud Services attaches the authorization to the Change Requested as an audited record of the request. Additionally, Pega may require a signed liability release form for requests to directly access a production database.

  • Access changes: Access level changes include requests to modify the authentication or authorization facilities of the environment, and other changes to access security files, such as certificates, ciphers, and network configuration files.
  • Data changes: Data changes include requests to modify (update, delete, drop, truncate) production data, and requests to copy, extract, or transmit production data in any way that could compromise data security.
    You cannot request to move your customer data or other client-confidential information in a non-Production environment.
  • Platform changes: Platform changes include requests to modify files or folders in the Pega Cloud Services environment, change platform configurations (for example, kernel parameters, or services, and any requests to install or change software that is not part of Pega Cloud Services.

Non-production changes

Change requests for non-production environments (for example, development, test, staging, user acceptance testing, etc) are not reviewed by the Pega Cloud Change Advisory Board, because they do not require compliance or security impact analysis; however, they require a full change plan and a description of the change to be made.

Scheduling change requests

When you create a change request, you specify a Start date and time, which determines the urgency of your request. Based on the duration between the time of submission and the schedule start date and time, your request is classified with an urgency of either Normal or Emergency. The following table defines the criteria under which a change request is considered an emergency.

Change request urgency definitions

Standard change request for any environment If the planned schedule is > 48 hours from the time of submission, the urgency is classified as Normal; if not, it is classified as Emergency.
Significant change request for a non-production environment If the Planned schedule is >72 hours from the time of submission, the urgency is classified as Normal; if not, it is classified as Emergency.
Significant change request for a production environment If the planned schedule is > 12 hours in the future or two hours after the CAB starts, whichever is greater; andthe change request is submitted at least 4 hours before the next CAB meeting, the urgency is classified as Normal; if not, it is classified as Emergency.

Emergency changes

For a service outage or other critical change to a production environment that includes one or more Significant-category change tasks and requires a response that cannot wait for the CAB, lower environment (non-production environment) testing is not required.

Emergency changes contain associated risks due to the reduced time and scope of the compliance and security review that can be performed.

The CAB must authorized requests for an emergency change upon confirmation of a justifiable emergency. For authorization, an emergency change must include the following information:

  • Required change plan details
  • Declaration that the request is an emergency
  • Justification for the emergency change
  • Name and title of the client contact requesting the emergency change
  • Requested start date and time to implement the emergency change

The CAB conducts requests after implementation and validation of emergency changes. If a post-fulfillment CAB review determines that an emergency change violates security controls, or an industry or government compliance regulation, Pega Cloud Services notifies you and rolls back the changes. Additional information about the denial reason for the change request is added to the request.

Suggest Edit
Did you find this content helpful?

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.