Purpose

This Change Management Policy ensures that all modifications to MailSlurp’s infrastructure, applications, and services are systematically planned, tested, approved, and documented. By following recognized best practices (e.g., ITIL, ISO 27001), MailSlurp aims to minimize risk and maintain service continuity for customers.

Scope

This policy applies to:

  • All production systems, applications, and environments under MailSlurp’s control
  • All employees, contractors, and third parties responsible for implementing changes to these systems

Roles and Responsibilities

  • Change Requestor: Submits and documents change requests, providing justification, risk assessment, and implementation details.
  • Change Manager: Reviews and prioritizes change requests, chairs the Change Advisory Board (CAB) meetings, and coordinates approvals.
  • Change Advisory Board (CAB): A cross-functional team that evaluates changes for risk, impact, and alignment with business objectives.
  • Implementer: Executes the approved change following documented procedures and rollback plans.
  • Quality Assurance (QA) / Security: Conducts testing, validation, and security reviews before and after the change.

Types of Changes

  • Standard Changes: Low-risk, well-understood modifications with pre-approved procedures (e.g., routine patches).
  • Normal Changes: Non-urgent changes requiring full CAB review, risk assessment, and testing before approval.
  • Emergency Changes: High-priority changes needed to resolve critical incidents or security vulnerabilities. These follow an expedited approval process.

Change Management Process

  1. Request and Documentation

    • The Change Requestor logs a change request in the ticketing system, detailing the purpose, scope, impact, and risk mitigation strategies.

  2. Review and Classification

    • The Change Manager or delegated authority reviews the request, classifies it (standard, normal, or emergency), and assigns a priority level.

  3. Risk Assessment and Approval

    • The CAB (or designated approver) evaluates potential impact on security, compliance, and operations.
    • If approved, the change is scheduled based on business priorities and resource availability.

  4. Implementation

    • The Implementer carries out the change following documented steps, including a predefined rollback plan.
    • Emergency changes require post-implementation CAB review but may bypass some initial steps if the situation demands immediate action.

  5. Testing and Validation

    • QA and Security teams validate that the change meets the intended objectives, adheres to security requirements, and does not introduce new vulnerabilities.

  6. Post-Implementation Review

    • The Change Manager conducts a review of the change outcome, confirming success or identifying issues.
    • Lessons learned are documented and shared with relevant stakeholders.

  7. Documentation and Closure

    • All details, including test results, approvals, and final status, are updated in the ticketing system.
    • The change is marked as closed once confirmed successful.

Emergency Changes

  • Definition: A change that must be made immediately to address a critical incident, severe outage, or high-risk security flaw.
  • Process: Emergency changes are documented as soon as possible, approved by at least one CAB member or delegated authority, and implemented with minimal delay. A full retrospective review occurs once stability is restored.

Post-Implementation Review

  • Objective: Assess whether the change achieved its intended goals without unexpected impact on systems or customers.
  • Review Points:
    • Validation of success criteria
    • Any deviations from the original plan
    • Root cause analysis for any issues encountered
    • Potential improvements to the process

Documentation and Records

  • Ticketing System: Serves as the authoritative record for all change requests, approvals, test results, and closure notes.
  • Audit Trail: Logs of who requested, approved, and implemented each change are retained for compliance and forensic analysis.

Review and Revision

  • Annual Review: This policy is reviewed and updated at least once a year or upon significant changes to MailSlurp’s business or technology environment.
  • Change Approval: Any updates to this policy require review by the Change Manager and final approval by the Executive Leadership Team.

Enforcement

Non-compliance with this policy may result in disciplinary actions, up to and including termination for employees, or contract cessation for third parties. Ensuring adherence to the Change Management Policy is critical for maintaining MailSlurp’s security, reliability, and compliance posture.

Approved by: Jack Mahoney, CTO