The evolution of an IT department is always something interesting to observe. The is especially the case when they move from small departmental IT groups to corporate level oversight. It is usually painful for the people involved to give-up their ability to modify servers on the fly and conform to rigorous testing and documentation. Having the keys to your environments taken away can really feel like getting stabbed in the back especially when the new deployment team is still working out there processes. Unfortunately these are the evils of ensuring a stable system.
So what is really needed for a change control process? This is meant to be an overview rather than a deep dive, but here we go.
A change control process needs to ensure the security and stability of your environments and data as well as compliance with regulations. The main keys are limiting access, an approval process, separation of duties and keeping a history of changes.
Limiting access and the separation of duties go hand-in-hand. Limiting access to your QA and production environments ensures that only approved individuals update software that could cause outage or effect data that may be sensitive or cause losses.
Approval and documentation are related to each other as well. You approval process will vary depending on the size of your company and the number of regulatory bodies that have oversight. At the very least these process all affected system owners and stakeholders need to be aware that changes are going in to production.
Exception processes also have to be put into place for emergencies. These maintain the oversight, but allow changes to happen more quickly and off the normal schedules. The last thing you want to have is a system down scenario and trying to figure out how to stay in compliance at the same time.
In the end the pain usually only lasts while the teams get accustomed to the processes. Make sure that you document the process well and educate every new team member so that there are no misunderstandings and it will eventually become part of your culture.