Back

Establish, implement, and maintain back-out procedures for each proposed change in a change request.


CONTROL ID
00373
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a back-out plan., CC ID: 13623

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Change management is the process of planning, scheduling, applying, distributing and tracking changes to application systems, system software (e.g. operating systems and utilities), hardware, network systems, and other IT facilities and equipment. An effective change management process helps to ensu… (4.3.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • A licensed or registered person should also adopt an appropriate recovery method to enable successful roll-back of major system changes. (2.8. ¶ 2, Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading)
  • O69.2(1): The organization should consider preserving the old system in case problems arise during the transition process. T15.1(3): The organization should backup the system before changes are made in case of a failure due to the change or addition and should develop recovery procedures for failure… (O69.2(1), T15.1(3), FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • At the time that any functions are changed or added, it is recommended to check the influence on others and minimize it. (P96.2. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • To minimise risks associated with changes, FIs should perform backups of affected systems or applications prior to the change. The FI should establish a rollback plan to revert to a former version of the system or application if a problem is encountered during or after the deployment. The FI should … (§ 7.1.6, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The FI should perform a backup of the information asset prior to the change implementation, and establish a rollback plan to revert the information asset to the previous state if a problem arises during or after the change implementation. (§ 7.5.5, Technology Risk Management Guidelines, January 2021)
  • The organization should develop a backout plan or a fallback procedure to reverse a failed deployment. (Attach A ¶ 2(i), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • Processes are defined in order to be able to roll back required changes as a result of errors or security concerns and restore affected systems or services into its previous state. (Section 5.11 BEI-08 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Establish an implementation and fallback/backout plan. Obtain approval from relevant parties. (AI7.3 Implementation Plan, CobiT, Version 4.1)
  • Verify that back-out procedures are prepared for each sampled change. (§ 6.4.4, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Provide back-out procedures for changes. (§ 6.4.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Verify that back-out procedures are prepared for each sampled change (§ 6.4.4 Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • The organization must ensure the change control procedures include back-out procedures, operational testing, and approval by appropriate personnel. (§ 6.4.5.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Verify that back-out procedures are prepared for each sampled change. (§ 6.4.5.4 Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Back-out procedures. (6.4.5.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Back-out procedures. (6.4.5.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Back-out procedures. (6.4.5.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Are change-control procedures for implementing security patches and software modifications documented and require the following? - Documentation of impact - Documented change control approval by authorized parties - Functionality testing to verify that the change does not adversely impact the securi… (6.4.5 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Back-out procedures? (6.4.5.4, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Back-out procedures? (6.4.5.4, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Are change-control procedures documented and require the following? - Documentation of impact - Documented change control approval by authorized parties - Functionality testing to verify that the change does not adversely impact the security of the system - Back-out procedures (6.4.5(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Back-out procedures? (6.4.5.4, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Are change-control procedures for implementing security patches and software modifications documented and require the following? - Documentation of impact - Documented change control approval by authorized parties - Functionality testing to verify that the change does not adversely impact the securi… (6.4.5 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Back-out procedures? (6.4.5.4, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are change-control procedures documented and require the following? - Documentation of impact - Documented change control approval by authorized parties - Functionality testing to verify that the change does not adversely impact the security of the system - Back-out procedures (6.4.5(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are change-control procedures for implementing security patches and software modifications documented and require the following? - Documentation of impact - Documented change control approval by authorized parties - Functionality testing to verify that the change does not adversely impact the securi… (6.4.5 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Back-out procedures? (6.4.5.4, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Back-out procedures? (6.4.5.4, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Are change-control procedures documented and require the following? - Documentation of impact - Documented change control approval by authorized parties - Functionality testing to verify that the change does not adversely impact the security of the system - Back-out procedures (6.4.5(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Verify that back-out procedures are prepared for each sampled change. (6.4.5.4, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • The organization should establish contingency plans, in case something happens during the go-live period. (§ 3.4 (Postlaunch Support), IIA Global Technology Audit Guide (GTAG) 12: Auditing IT Projects)
  • Prior to changes being applied to the live environment, back-out positions should be established so that Information Systems and networks can recover from failed changes or unexpected results. (CF.07.06.03f, The Standard of Good Practice for Information Security)
  • Prior to changes being applied to the live environment, back-out positions should be established so that Information Systems and networks can recover from failed changes or unexpected results. (CF.07.06.03f, The Standard of Good Practice for Information Security, 2013)
  • Procedures shall be planned and tested for reversing or remedying unsuccessful changes. (§ 9.2 ¶ 11, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • Procedures shall be planned and tested for reversing or remedying unsuccessful deployments of releases. (§ 9.3 ¶ 7, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The activities to reverse or remedy an unsuccessful change shall be planned and, where possible, tested. Unsuccessful changes shall be investigated and agreed actions taken. (§ 8.5.1.3 ¶ 3, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • Does the operation Change Management/Change Control policy or program include rollback procedures? (§ G.2.8, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Does the documented Change Management/Change Control Process include establishment of restart points? (§ I.2.22.3, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • The organization must include checkpoint and restart capabilities as part of any operation that updates files and uses large amounts of computer time. (CSR 3.5.4, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Local patch management policies should include rollback capabilities. (§ 5.10.4.1 ¶ 2(2), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Defines rollback procedures in the event of unintended or negative consequences with the introduced changes. (App A Objective 6.11.h, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Are there implemented policies, procedures, and practices that allow the Credit Union to restore the previous configuration in case the software modification adversely affects one or more systems? (IT - Networks Q 31, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)