Back

Establish, implement, and maintain a change control program.


CONTROL ID
00886
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Operational management, CC ID: 00805

This Control has the following implementation support Control(s):
  • Include potential consequences of unintended changes in the change control program., CC ID: 12243
  • Include version control in the change control program., CC ID: 13119
  • Include service design and transition in the change control program., CC ID: 13920
  • Separate the production environment from development environment or test environment for the change control process., CC ID: 11864
  • Integrate configuration management procedures into the change control program., CC ID: 13646
  • Establish, implement, and maintain a back-out plan., CC ID: 13623
  • Manage change requests., CC ID: 00887
  • Establish, implement, and maintain emergency change procedures., CC ID: 00890
  • Perform risk assessments prior to approving change requests., CC ID: 00888
  • Implement changes according to the change control program., CC ID: 11776
  • Establish, implement, and maintain a patch management program., CC ID: 00896
  • Establish, implement, and maintain a software release policy., CC ID: 00893
  • Mitigate the adverse effects of unauthorized changes., CC ID: 12244
  • Establish, implement, and maintain approved change acceptance testing procedures., CC ID: 06391
  • Update associated documentation after the system configuration has been changed., CC ID: 00891


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • AIs should have formal change management procedures to keep their BCPs updated in respect of any relevant changes with proper approval and documentation. In the event that a plan has been activated, a review should be carried out once normal operations are restored to identify areas for improvement.… (6.2.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • Change management is the process of planning, scheduling, applying, distributing and tracking changes to application systems, system software (e.g. operating systems and utilities), hardware, network systems, and other IT facilities and equipment. An effective change management process helps to ensu… (4.3.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • Change management rules and change procedures must be defined and approved by persons in charge of the user, development, and maintenance departments. The development department must control large changes. This is a control item that constitutes a greater risk to financial information. This is an IT… (App 2-1 Item Number VI.6.1(1), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • O26: The organization shall define procedures for revising data files. O73: The organization shall establish and maintain an operation and management organization for the development or modification of systems to install new software. (O26, O73, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Change Management (Critical components of information security 1) 2) q. xviii., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Information security needs to be considered at all stages of an information asset's life-cycle like planning, design, acquisition and implementation, maintenance and disposal. Banks need to apply systematic project management oriented techniques to manage material changes during these stages and to … (Critical components of information security 6) (i), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Any changes to an application system/data need to be justified by genuine business need and approvals supported by documentation and subjected to a robust change management process. The change management would involve generating a request, risk assessment, authorization from an appropriate authority… (Critical components of information security 11) c.12., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The change management process should be documented, and include approving and testing changes to ensure that they do not compromise security controls, performing changes and signing them off to ensure they are made correctly and securely, reviewing completed changes to ensure that no unauthorised ch… (Critical components of information security 20) ii., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • A change management process should be established, which covers all types of change. For example, upgrades and modifications to application and software, modifications to business information, emergency 'fixes', and changes to the computers / networks that support the application. (Critical components of information security 20) i., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Applications must not allow unauthorized entries to be updated in the database. Similarly, applications must not allow any modifications to be made after an entry is authorized. Any subsequent changes must be made only by reversing the original authorized entry and passing a fresh entry. (Critical components of information security 11) c.15., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Ongoing support and maintenance controls would be needed to ensure that IT assets continue to meet business objectives. Major controls in this regard include change management controls to ensure that the business objectives continue to be met following change; configuration management controls to en… (Critical components of information security 6) (iii), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The change management process should apply to changes pertaining to system and security configurations, patches for hardware devices and software updates. (§ 7.1.2, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The FI should establish a change management process to ensure that changes to production systems are assessed, approved, implemented and reviewed in a controlled manner. (§ 7.1.1, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The framework should comprise the governance structure, processes and procedures for change management, software release management, incident and problem management as well as capacity management. (§ 7.0.2, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The FI should establish a change management process to ensure changes to information assets are assessed, tested, reviewed and approved before implementation. (§ 7.5.1, Technology Risk Management Guidelines, January 2021)
  • A change management process, and supporting change management procedures, is developed and implemented covering: (Security Control: 1211; Revision: 3, Australian Government Information Security Manual)
  • The information security policy should include Change Management. (Control: 0890 Bullet 8, Australian Government Information Security Manual: Controls)
  • The procedures for implementing System Software changes or software configuration changes should be included in the Standard Operating Procedures for the System Administrator. (Control: 0055 Table Row "Configuration control", Australian Government Information Security Manual: Controls)
  • The organization must have an implemented formal Change Management process. (Control: 1211, Australian Government Information Security Manual: Controls)
  • The Change Management process should include a policy for identifying which changes need to go through the formal Change Management process. (Control: 0912 Bullet 1, Australian Government Information Security Manual: Controls)
  • The organization must ensure the Change Management process is followed for routine changes and urgent changes. (Control: 0115 Bullet 1, Australian Government Information Security Manual: Controls)
  • A formal Change Control Process should exist to document and approve network configuration changes. (Control: 0514, Australian Government Information Security Manual: Controls)
  • The organization should implement Change Management controls to ensure that, after the change, the business objectives are still being met. (¶ 54(a), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • The organization should implement a Change Management process for hardware, software, configurations, and data fixes to maintain confidentiality, integrity, and availability. (Attach A ¶ 1, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • Change Management procedures should include considerations of the security of existing software. (Attach D ¶ 2, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • APRA envisages that a regulated entity would implement controls to manage changes to information assets, including changes to hardware, software, data, and configuration (both where the change is planned and in response to an emergency) with the aim of maintaining information security. This would ty… (47., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • Sound practice is to establish a formal policy to govern end-user developed/configured software. The policy would clearly articulate under what circumstances end-user developed/configured software is appropriate, as well as expectations regarding life-cycle management controls including information … (59., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • APRA envisages that a regulated institution would implement controls to manage change to IT assets with the aim of maintaining confidentiality, integrity and availability. This includes changes to hardware, software (including associated configurations) and data fixes. (Attachment A ¶ 1, The AD_offical_Name should be: APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • change management controls to ensure that the business objectives continue to be met following change (refer to Attachment A for further guidance); (¶ 54(a), The AD_offical_Name should be: APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • The organization should ensure the change management process is followed, changes are approved by the appropriate personnel, and documentation is updated to reflect the changes. A vulnerability assessment should be performed after all major changes. (§ 2.7.38, § 2.8.7, § 3.5.20, § 3.7.31, § 3.7.32, § 3.10.5, Australian Government ICT Security Manual (ACSI 33))
  • Financial institutions should establish and implement an ICT change management process to ensure that all changes to ICT systems are recorded, tested, assessed, approved, implemented and verified in a controlled manner. Financial institutions should handle the changes during emergencies (i.e. change… (3.6.3 75, Final Report EBA Guidelines on ICT and security risk management)
  • Competent authorities should assess whether the institution has an effective framework in place for identifying, understanding, measuring and mitigating ICT change risk commensurate with the nature, scale and complexity of the institution's activities and the ICT risk profile of the institution. The… (Title 3 3.3.4(c) 56, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • Computerized system changes, including system configurations, should be made in a controlled way in accordance with defined procedures. (¶ 10, EudraLex, The Rules Governing Medicinal Products in the European Union, Volume 4 Good Manufacturing Practice, Medicinal Products for Human and Veterinary Use Annex 11: Computerised Systems, SANCO/C8/AM/sl/ares(2010)1064599)
  • organisation (including specifying responsibilities, assigning duties and separating functions, regulating how information is handled, applications and IT components, hardware and software management, change management, etc.), (§ 8.1 Subsection 5 ¶ 2 Bullet 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • When creating the security policy implementers should release the security policy for review and approval and implementation using appropriate change control. (3.3 bullet 5, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
  • Policies and instructions with technical and organisational safeguards for the handling of critical vulnerabilities are documented, communicated and provided according to SA-01. The safeguards are coordinated with the activities of the change management and the incident management. (Section 5.6 RB-19 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Requirements for the documentation of tests as well as for the application and permit of changes (Section 5.11 BEI-03 Basic requirement ¶ 1 Bullet 3, Cloud Computing Compliance Controls Catalogue (C5))
  • Policies and instructions with technical and organisational safeguards for the proper management of changes to information systems for the development or operation of the cloud service, including middleware, databases, operating systems and network components are documented, communicated and provide… (Section 5.11 BEI-03 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Is there a plan for the determining the need for changes to the BCMS and managing their implementation? (Operation ¶ 3, ISO 22301: Self-assessment questionnaire)
  • Is there a plan for the determining the need for changes to the ISMS and managing their implementation? (Operation ¶ 2, ISO 22301: Self-assessment questionnaire)
  • The processes for changing IT systems shall be designed and implemented depending on their nature, scale, complexity and riskiness. This shall also apply to newly procured or replaced IT systems as well as to security-related subsequent improvements (security patches). (II.7.48, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • Change management is a necessary part of security management. Potential processes that change management handles include handling the changes in the importance of tasks, physical and environmental alterations, changes in the way IT is assessed, changes in business and legal demands, changes in hardw… (§ 2.2.3, OGC ITIL: Security Management)
  • Changes which could affect the security of the service should be identified and managed. Unauthorised changes should be detected. (5.1 ¶ 2, Cloud Security Guidance, 1.0)
  • The purpose of the organizational change management practice is to ensure that changes in an organization are smoothly and successfully implemented, and that lasting benefits are achieved by managing the human aspects of the changes. (5.1.6 ¶ 1, ITIL Foundation, 4 Edition)
  • The organization should establish configuration management procedures, including patch management and configuration control. (§ 2.2 (2.2.010), The Center for Internet Security Wireless Networking Benchmark, 1)
  • The change control procedures need to account for the procedures and records that are used by suppliers, integrators, and other parties that have been contracted to support systems and applications. (¶ 17.2, Good Practices For Computerized systems In Regulated GXP Environments)
  • The change control procedures should include the interface between the change control procedures and the Configuration Management system. (¶ 18.1 Bullet 7, Good Practices For Computerized systems In Regulated GXP Environments)
  • The change control procedures should include changes from the enhancement of the system or from a response to an error, problem, or deviation identified during system use. (¶ 18.2, Good Practices For Computerized systems In Regulated GXP Environments)
  • System changes or application changes should only be made in accordance with a defined procedure that includes validating, checking, approving, and implementing the change. (¶ 11, PE 009-8, Guide to Good Manufacturing Practice for Medicinal Products, Annex 11, 15 January 2009)
  • Set up formal change management procedures to handle in a standardised manner all requests (including maintenance and patches) for changes to applications, procedures, processes, system and service parameters, and the underlying platforms. (AI6.1 Change Standards and Procedures, CobiT, Version 4.1)
  • Encourage IT management to define and execute change control procedures to ensure that the IT continuity plan is kept up to date and continually reflects actual business requirements. Communicate changes in procedures and responsibilities clearly and in a timely manner. (DS4.4 Maintenance of the IT Continuity Plan, CobiT, Version 4.1)
  • Track the status of individual requirements (including all rejected requirements) during the design, development and implementation, and approve changes to requirements through an established change management process. (AI2.9 Applications Requirements Management, CobiT, Version 4.1)
  • Ensure required support and resources, including change management, are furnished to achieve established objectives and follow direction of the plans. (OCEG GRC Capability Model, v 3.0, A5.10 Enable Execution, OCEG GRC Capability Model, v 3.0)
  • Establish a formal procedure to manage changes to the firewall rules. (§ 3-4, MasterCard Electronic Commerce Security Architecture Best Practices, April 2003)
  • Examine the policies and procedures to verify that change control procedures for implementing software modifications and security patches are documented. (Testing Procedures § 6.4 Bullet 5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Change control procedures must include the following: (6.4.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Additional requirement for service providers only: Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures. Reviews must cover the following processes: - Daily log reviews - Firewall rule-set reviews - Applying configuration standards to new… (12.11, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures. Reviews must cover the following processes: - Daily log reviews - Firewall rule-set reviews - Applying configuration standards to new systems - Responding to security alerts - Change m… (12.11, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Change control procedures must include the following: (6.4.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Are change-control procedures for implementing security patches and software modifications documented and require the following? - Documentation of impact - Documented change control approval by authorized parties - Functionality testing to verify that the change does not adversely impact the securi… (6.4.5 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Are change-control procedures documented and require the following? - Documentation of impact - Documented change control approval by authorized parties - Functionality testing to verify that the change does not adversely impact the security of the system - Back-out procedures (6.4.5(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Are change control processes and procedures followed for all changes to system components to include the following: (6.4, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Are change-control procedures documented and require the following? - Documentation of impact - Documented change control approval by authorized parties - Functionality testing to verify that the change does not adversely impact the security of the system - Back-out procedures (6.4.5(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are change control processes and procedures followed for all changes to system components to include the following: (6.4, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Are change-control procedures documented and require the following? - Documentation of impact - Documented change control approval by authorized parties - Functionality testing to verify that the change does not adversely impact the security of the system - Back-out procedures (6.4.5(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Do reviews cover the following processes: - Daily log reviews - Firewall rule-set reviews - Applying configuration standards to new systems - Responding to security alerts - Change management processes (12.11(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Examine documented change control procedures and verify procedures are defined for: - Documentation of impact - Documented change approval by authorized parties - Functionality testing to verify that the change does not adversely impact the security of the system - Back-out procedures (6.4.5.a, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • For a sample of system components, interview responsible personnel to determine recent changes/security patches. Trace those changes back to related change control documentation. For each change examined, perform the following: (6.4.5.b, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Examine policies and procedures to verify that processes are defined for reviewing and confirming that personnel are following security policies and operational procedures, and that reviews cover: - Daily log reviews - Firewall rule-set reviews - Applying configuration standards to new systems - Res… (12.11.a, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Change-control procedures should be in place for all software modifications. These change-control procedures should include the following: documentation on how the change will impact the customer, procedures for sign-off/acceptance on the changes by the appropriate parties, testing procedures for op… (§ 5.3 thru § 5.3.4, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1)
  • Change-control procedures are in place so that any intended change to the physical or functional capabilities of the HSM causes a re-certification of the device under the Physical Security Requirements or the Logical Security Requirements of this document. Immediate re-certification is not required … (D1, Payment Card Industry (PCI), PIN Transaction Security (PTS) Hardware Security Module (HSM) - Security Requirements, Version 2.0)
  • Examine documented change control procedures to verify procedures are defined for changes to all system components in the production environment to include all elements specified in this requirement. (6.5.1.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • The Information Technology Service Continuity (ITSC) strategy should include a continuous and ongoing process for change management. This process should include involving third party suppliers and internal customers. A key factor for ensuring the ITSC strategy and plans are appropriate as the organi… (§ 5.4 ¶ 7, § 5.6 ¶ 2(b), PAS 77 IT Service Continuity Management. Code of Practice, 2006)
  • Generally whenever a major change occurs it should be thoroughly reviewed. Whether the organization's operating environment changes should be examined first. Then services offered externally should be reviewed to determine whether they are adequate. Relationships with suppliers should be examined an… (Stage 5.2 Process, Business Continuity Institute (BCI) Good Practice Guidelines, 2005)
  • Organizational and management control elements are specified under change management processes. These processes ensure IT environment, application systems, systems software, and data changes are implemented in a way to enforce appropriate separation of duties; changes work as required; changes are n… (§ 5.3.3.3, § 5.3.5 ¶ 4, IIA Global Technology Audit Guide (GTAG) 1: Information Technology Controls)
  • Managing communications is a critical aspect of change management, starting with representation and approval from stakeholders, marketing the reasons or benefits of the project, and managing the end users' expectations. At the beginning of the project, these points should be clearly stated and shoul… (§ 3.4 (Managing Communication), IIA Global Technology Audit Guide (GTAG) 12: Auditing IT Projects)
  • Risks can be increased by ineffective IT change management processes and can be controlled with well-designed change management processes. By implementing an effective IT change management process, the organization can safely move from one known and defined state to another. An effective change mana… (§ 2.2, § 3.1 ¶ 1, § 3.2 ¶ 1, § 3.2 ¶ 2, § 3.2 ¶ 5, § 4.1.3, IIA Global Technology Audit Guide (GTAG) 2:Change and Patch Management Controls: Critical for Organizational Success)
  • IT Security should notify Change Management of permanent application or system modifications to ensure that future builds are released with more secure configurations. The security organization should have a direct relationship with change management. (§ 3.4 (Stopping the Spread), IIA Global Technology Audit Guide (GTAG) 6: Managing and Auditing IT Vulnerabilities)
  • Service providers must investigate reasons for errors and interruptions and fix problems quickly. Turnaround times for production support should be faster than maintenance service, because the systems are live and require quick recoveries so the organization can resume regular operations. Key audit … (§ 3 (Production Support), § 4.5 (Internal Audit Considerations), § 5.4, IIA Global Technology Audit Guide (GTAG) 7: Information Technology Outsourcing)
  • Changes to business applications (including those under development) should be performed in accordance with a formal, documented Change Management process. (CF.17.02.06a, The Standard of Good Practice for Information Security)
  • Business applications should incorporate security controls to protect the integrity of information by preventing unauthorized changes to software (e.g., malware protection, Change Management disciplines). (CF.04.01.04b, The Standard of Good Practice for Information Security)
  • A Change Management process should be established, which covers all types of change (e.g., upgrades and modifications to application and software, modifications to business information, emergency 'fixes', and changes to Information Systems and networks). (CF.07.06.01, The Standard of Good Practice for Information Security)
  • The Change Management process should be documented. (CF.07.06.02, The Standard of Good Practice for Information Security)
  • Changes to critical desktop applications should be performed in accordance with a change management process. (CF.13.04.11a, The Standard of Good Practice for Information Security)
  • Virtual Servers should be protected by applying standard security management practices to hypervisors, which include applying a strict Change Management process (e.g., changes are validated, tested, and deployed in a critical timeframe) to help ensure the hypervisor remains up-to-date. (CF.07.03.06a, The Standard of Good Practice for Information Security)
  • Each Business Continuity Plan should be subject to standard Change Management practices. (CF.20.05.10c, The Standard of Good Practice for Information Security)
  • The resilience of technical infrastructure should be improved by applying standard servicing and maintenance disciplines, which include maintaining consistent versions of software (e.g., using standard Change Management disciplines). (CF.20.03.08a, The Standard of Good Practice for Information Security)
  • Changes to business applications (including those under development) should be performed in accordance with a formal, documented Change Management process. (CF.17.02.06a, The Standard of Good Practice for Information Security, 2013)
  • Business applications should incorporate security controls to protect the integrity of information by preventing unauthorized changes to software (e.g., malware protection, Change Management disciplines). (CF.04.01.04b, The Standard of Good Practice for Information Security, 2013)
  • A Change Management process should be established, which covers all types of change (e.g., upgrades and modifications to application and software, modifications to business information, emergency 'fixes', and changes to Information Systems and networks). (CF.07.06.01, The Standard of Good Practice for Information Security, 2013)
  • The Change Management process should be documented. (CF.07.06.02, The Standard of Good Practice for Information Security, 2013)
  • Changes to critical desktop applications should be performed in accordance with a change management process. (CF.13.04.11a, The Standard of Good Practice for Information Security, 2013)
  • Virtual Servers should be protected by applying standard security management practices to hypervisors, which include applying a strict Change Management process (e.g., changes are validated, tested, and deployed in a critical timeframe) to help ensure the hypervisor remains up-to-date. (CF.07.03.06a, The Standard of Good Practice for Information Security, 2013)
  • The resilience of technical infrastructure should be improved by applying standard servicing and maintenance disciplines, which include maintaining consistent versions of software (e.g., using standard Change Management disciplines). (CF.20.03.08a, The Standard of Good Practice for Information Security, 2013)
  • Each Business Continuity Plan should be subject to standard Change Management practices. (CF.20.05.10c, The Standard of Good Practice for Information Security, 2013)
  • The organization should use the change management system to document and approve deviations from the standard build or updates. (Critical Control 3.6, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The organization should use a Change Control system to document and approve deviations from or updates to the standard configuration. (Critical Control 10.1, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The organization should implement a strict Change Control Process in order to control the installation of or change to software on the network. (Critical Control 2.2, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Policies and procedures shall be established, and supporting IT governance and service management-related business processes implemented, for managing the risks associated with applying changes to business-critical or customer (tenant) impacting (physical and virtual) application and system-system i… (CCC-05, Cloud Controls Matrix, v3.0)
  • Establish a standard change management procedure, to accommodate changes from internal and external sources, for review, approval, implementation and communication of cryptographic, encryption and key management technology changes. (CEK-05, Cloud Controls Matrix, v4.0)
  • Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for managing the risks associated with applying changes to organization assets, including application, systems, infrastructure, configuration, etc., regardless of whether the assets are managed internally… (CCC-01, Cloud Controls Matrix, v4.0)
  • Any change in status is intended to include termination of employment, contract or agreement, change of employment or transfer within the organization. (IS-09, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • The organization shall follow the Change Management procedures for any actions that are planned based on the risk assessment. (§ 4.4.1 ¶ 2, Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • The organization shall document and implement a Change Management process. (§ 4.5.1 ¶ 1, Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • The medical information technology network risk manager shall ensure a Change Management process is implemented for the medical Information Technology network, including a Risk Management process. (§ 4.5.1 ¶ 2, Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • The organization shall establish and maintain project plans for changing the medical Information Technology network. (§ 4.5.2.3 ¶ 1, Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • The organization shall establish and maintain project plans for changing the medical devices that are incorporated into the medical Information Technology network. (§ 4.5.2.3 ¶ 1, Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • ¶ 10.2.3 Monitoring of Security Awareness Programs. An organization should monitor security awareness programs by: • periodic performance evaluations - to determine the effectiveness of an awareness program by monitoring security related behavior and identify where changes affecting the program d… (¶ 10.2.3, ¶ 11.3, ISO 13335-3 Information technology - Guidelines for the management of IT Security - Part 3: Techniques for the management of IT Security, 1998)
  • ¶ 8.1.5(1) Operational Issues. An organization should implement safeguards which assure that all procedures maintain the secure, correct and reliable functioning of the IT equipment and related system(s) used. This should be achieved by implementing organizational procedures. Operational safeguards… (¶ 8.1.5(1), ¶ 10.3.9, ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • § 7.3.7: The organization shall identify and record design and development changes. All changes shall be reviewed, verified, validated, and approved before being implemented. Change reviews shall include an evaluation of the effects on constituent parts and products that have already been delivered… (§ 7.3.7, § 8.5 ¶ 1, § 8.5.2, ISO 13485:2003 Medical devices -- Quality management systems -- Requirements for regulatory purposes, 2003)
  • When determining necessary controls, or considering changes to existing controls, consideration should be given to risks and opportunities that need to be addressed, and to any unintended consequences that can result. The organization should control planned changes and review the consequences of uni… (8.1.1 ¶ 2, ISO 14004:2016, Environmental management systems — General guidelines on implementation, Third Edition)
  • The configuration management plan should describe how configuration items are maintained. Roles and responsibilities of individuals, activities subject to configuration management, procedures for making changes, a description of the types of information that should be included in the change log, and… (§ 12.4.1.3.10, § 12.4.1.3.12, § 13.4.2.3.11, § 13.4.2.3.13, ISO 18045 Common Methodology for Information Technology Security Evaluation Part 3, 2005)
  • The assessment, approval, scheduling, and reviewing of new or changed services shall be controlled by the Change Management process. (§ 5.1 ¶ 2, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The Change Management process shall be used to control changes to documented service requirements, Service Level Agreements, catalog of services, and other documented agreements. (§ 6.1 ¶ 5, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The Configuration Management Database information shall be used by the change control process for help in assessing change requests. (§ 9.1 ¶ 5, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The Change Management policy shall define which Configuration Items are under Change Management control. (§ 9.2 ¶ 1(a), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The Change Management policy shall define the criteria for determining if changes have the potential to have a major impact on the customer or services. (§ 9.2 ¶ 1(b), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • Configuration management shall provide information to the change management process on the impact of a requested change on the service and infrastructure configurations. Changes to configuration items shall be traceable and auditable where appropriate, e.g. for changes and movements of software and … (§ 9.1, § 9.2, ISO 20000-2 Information technology - Service Management Part 2, 2005)
  • business and operational requirements, (§ 9.3 ¶ 4 d) 1), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • risk reduction and security requirements, (§ 9.3 ¶ 4 d) 2), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of ke… (§ 9.3 ¶ 3, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • the need for changes to the BCMS, including the policy and objectives; (§ 9.3.2 ¶ 1 e), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • The outputs of the management review shall include decisions related to continual improvement opportunities and any need for changes to the BCMS to improve its efficiency and effectiveness, including the following: (§ 9.3.3.1, ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • Outsourced service providers should ensure changes or upgrades to computing and related equipment does not affect supporting an organizations' continuity and recovery needs in accordance with contracted requirements. Procedures should be developed to check for equipment compatibility after upgrades … (§ 7.6.9, § 7.14.2, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • Changes to the organization, business processes, information processing facilities and systems that affect information security shall be controlled. (A.12.1.2 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures. (A.14.2.2 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • control of changes (e.g. version control); and (§ 7.5.3 ¶ 2 e), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • The outputs of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system. (§ 9.3 ¶ 3, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • Changes to the system and the software should be strictly controlled. Formal procedures should be in place and should include testing changes; identifying and recording the changes; assessing the impact of changes; formal approval of the changes; letting the appropriate personnel know of the changes… (§ 10.1.2, § 12.5.1, ISO 27002 Code of practice for information security management, 2005)
  • In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall, by means of a formal and structured change control process, control changes to information processing facilities and systems that process personal health information to ensure … (§ 12.1.2 Health-specific control, ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002, Second Edition)
  • For software systems assigned to Class A, Class B, and Class C software safety classes, the medical device manufacturer shall use an established maintenance process or the software development process from section 5 to implement modifications. (§ 6.3.1, ISO 62304 - 2006 Medical device software - Software life cycle processes, 2006)
  • any need for changes to the quality management system; (9.3.3 ¶ 1(b), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • control of changes (e.g. version control); and (Section 7.6.5 ¶ 2 bullet 3, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • Change management (§ 8.5.1, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • A change management policy shall be established and documented to define: (§ 8.5.1.1 ¶ 1, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • service components and other items that are under the control of change management; (§ 8.5.1.1 ¶ 1(a), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • categories of change, including emergency change, and how they are to be managed; (§ 8.5.1.1 ¶ 1(b), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • control of changes (e.g. version control); and (§ 7.5.3 ¶ 2 e), ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • The results of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system. (§ 9.3.3 ¶ 1, ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • Changes to the organization, business processes, information processing facilities and systems that affect information security should be controlled. (§ 12.1.2 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • Changes to systems within the development lifecycle should be controlled by the use of formal change control procedures. (§ 14.2.2 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • plan their implementation and assign tasks, responsibilities, deadlines and resources; (§ 8.1 Guidance ¶ 2(i), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • Ensure changes to community engagement approaches are based on evidence and needs, and ensure all engagement is culturally appropriate and empathetic. (Pillar 2 Step 3 Action 2, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • Organizations typically anticipate many changes within setting of strategy and business objectives and performance, but they need to also be aware of the potential for larger, substantial changes that may occur and have a more pronounced effect. Substantial change may lead to new or changed risks, a… (integrating Reviews into Business Practices ¶ 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Configuration change control processes are in place. (PR.IP-3, CRI Profile, v1.2)
  • Determines the types of changes to the information system that are configuration-controlled; (CM-3a., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Determines the types of changes to the information system that are configuration-controlled; (CM-3a., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Determines the types of changes to the information system that are configuration-controlled; (CM-3a., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and (SA-15a.4., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization should evaluate the security issues involved with any changes to the system, facility, personnel, etc. (Pg 4, Responsible Care Security Code of Management Practices, American Chemistry Council)
  • Procedures exist to provide that only authorized, tested, and documented changes are made to the system. (Security Prin. and Criteria Table § 3.13, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Procedures exist to provide that only authorized, tested, and documented changes are made to the system. (Availability Prin. and Criteria Table § 3.16, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Procedures exist to provide that only authorized, tested, and documented changes are made to the system. (Processing Integrity Prin. and Criteria Table § 3.17, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Procedures exist to provide that only authorized, tested, and documented changes are made to the system. (Confidentiality Prin. and Criteria Table § 3.19, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The organization should implement a Change Management process for all systems that collect, use, keep, disclose, and destroy personal information. (Table Ref 1.2.6, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The organization should implement procedures so only authorized, tested, and documented changes are made to the system. (Table Ref 1.2.6, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • A process is in place to design and develop system changes. (CC8.1 Designs and Develops Changes, Trust Services Criteria)
  • The system change management process is initiated when forecasted usage exceeds capacity tolerances. (A1.1 Makes Changes Based on Forecasts, Trust Services Criteria)
  • A process is in place to design and develop system changes. (CC8.1 ¶ 2 Bullet 3 Designs and Develops Changes, Trust Services Criteria, (includes March 2020 updates))
  • The system change management process is initiated when forecasted usage exceeds capacity tolerances. (A1.1 ¶ 2 Bullet 3 Makes Changes Based on Forecasts, Trust Services Criteria, (includes March 2020 updates))
  • Changes to system components are authorized, designed, developed, configured, documented, tested, approved, and implemented to meet the entity’s [insert the principle(s) addressed by the engagement: security, availability, processing integrity, confidentiality, or privacy, or any combination there… (CC7.4, TSP 100A - Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy)
  • Does the information security policy cover change control? (§ B.1.10, Shared Assessments Standardized Information Gathering Questionnaire - B. Security Policy, 7.0)
  • Is there an operational Change Management/Change Control policy or program that has been approved by management? (§ G.2, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Does the operation Change Management/Change Control policy or program include documentation of changes? (§ G.2.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Are changes to the network subject to the Change Control Process? (§ G.2.12.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Are changes to systems subject to the Change Control Process? (§ G.2.12.2, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Are application updates subject to the Change Control Process? (§ G.2.12.3, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Are code changes subject to the Change Control Process? (§ G.2.12.4, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • When application development is performed, is there a documented Change Management/Change Control process? (§ I.2.22, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • Does the documented Change Management/Change Control Process include a policy so that changes only take place during named and agreed upon times (Green Zone)? (§ I.2.22.13, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • Does the Business Continuity and Disaster Recovery program include Change Management to ensure changes are replicated to contingency environments? (§ K.1.2.8, Shared Assessments Standardized Information Gathering Questionnaire - K. Business Continuity and Disaster Recovery, 7.0)
  • Operational software may be modified only if it is rigorously controlled under conditions that require verification. (§ 2-4.g, Army Regulation 380-19: Information Systems Security, February 27, 1998)
  • CSR 3.5.3: The organization must implement procedures for identifying and documenting system software problems, including recording the problems in a log; the individual responsible for analyzing the problem; and how the problem was resolved. CSR 10.7.2: The organization must implement change contro… (CSR 3.5.3, CSR 10.7.2, CSR 10.7.5, CSR 10.7.8, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • A system of internal controls over changes to SCI systems; (§242.1001(b)(2)(ii), 17 CFR PART 242, Regulations M, SHO, ATS, AC, NMS, and SBSR and Customer Margin Requirements for Security Futures)
  • Ensure the organization is following a proper change management program and that no unauthorized changes are being made. (Obj 3 (Processes), Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000)
  • Users should not install or remove any applications from their BlackBerry, unless specifically approved. (§ 2.2 (WIR1180), DISA WIRELESS STIG BLACKBERRY SECURITY CHECKLIST, Version 5, Release 2.4, Version 5 Release 2.4)
  • Track, review, approve, or disapprove, and log changes to organizational systems. (CM.2.065, Cybersecurity Maturity Model Certification, Version 1.0, Level 2)
  • Track, review, approve, or disapprove, and log changes to organizational systems. (CM.2.065, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Track, review, approve, or disapprove, and log changes to organizational systems. (CM.2.065, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Track, review, approve, or disapprove, and log changes to organizational systems. (CM.2.065, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Track, review, approve or disapprove, and log changes to organizational systems. (CM.L2-3.4.3 System Change Management, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
  • The organization must implement software development change controls to prevent unauthorized modifications or unauthorized programs from being implemented. (ECSD-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The organization must implement software development change controls to prevent unauthorized modifications or unauthorized programs from being implemented. (ECSD-2, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Procedures must be implemented to ensure software and data changes are made by authorized personnel only. (§ 8-604.a, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • § 820.30(i): A medical device manufacturer shall establish and maintain procedures for identifying, documenting, validating or verifying, reviewing, and approving design changes before they are implemented. § 820.70(b): A medical device manufacturer shall establish and maintain procedures for chan… (§ 820.30(i), § 820.70(b), 21 CFR Part 820, Subchapter H - Medical Devices, Part 820 Quality System Regulation)
  • Change control process; (TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 3, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • IT environments and changes to configuration or components; (TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:3 Bullet 3, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Trainin… (Other Policies, Standards and Processes, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Detail a consistent change management process throughout the entity. (IV Action Summary ¶ 2 Bullet 5, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Verify that management documents, tracks, and resolves any changes when updating the BCP and the exercise and testing program(s). Furthermore, verify that management maintains appropriate version control of key BCM documents. (App A Objective 11:3, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • A change management process is in place to request and approve changes to systems configurations, hardware, software, applications, and security tools. (Domain 1: Assessment Factor: Governance, IT ASSET MANAGEMENT Baseline 3 ¶ 4, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
  • Working with other members of management to evaluate architectural changes. (App A Objective 2:9a Bullet 6, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Responsibility for designing the IT architecture and accommodating IT changes. (App A Objective 2:9a Bullet 3, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • If the entity implements more complex types of changes (e.g., core conversions, migrations to cloud-based environments, or implementing a system to support a new product), assess whether formal planning and management oversight processes are in place and adequate. (App A Objective 6:2a, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • If the entity implements less complex, but planned changes (e.g., implementation of patches), assess the appropriateness of the change process. (App A Objective 6:2b, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether the entity's policies, standards, and procedures address change management, including each step of the change process. Assess whether the process includes the following: (App A Objective 6:3, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Depending on the complexity of the change, determine the adequacy of the processes to manage the change. Verify that changes to any IT system or service are supported by an orderly, adaptable, documented, and measurable process. (App A Objective 6:2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether the IT environment and its products and services, whether internally or externally provided, are adaptable to change, and stakeholders from across the entity have input into the change process. (App A Objective 6:1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Review and evaluate the entity's change management process to implement changes that preserve systems' security and are based on the change type (e.g., planned, routine, and emergency). Determine whether management follows pre-defined processes, such as the following: (App A Objective 6:4, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Following enterprise change control standards. (App A Objective 13:3l Bullet 2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Inclusion of processes for obtaining approvals, making changes to the plan, and reporting, as appropriate. (App A Objective 12:3c, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Change management processes allow for the transition of responsibilities and knowledge and are part of the overall system development life cycle. (App A Objective 6:5c, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Development of policies, standards, and procedures to govern architecture initiatives and changes to the architecture plan. (App A Objective 12:3b, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Processes to recommend changes in operations processes and controls. (VI.D Action Summary ¶ 2 Bullet 7, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Development of appropriate design objectives, including changes, EOL, and identification of shadow IT. (IV Action Summary ¶ 2 Bullet 4, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Management fosters effective management of change across the AIO functions. (III.D, "Managing Change in AIO") (App A Objective 6, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Network configuration management and change control processes. (V Action Summary ¶ 2 Bullet 4, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether management has a process to introduce changes to the environment (e.g., configuration management of IT systems and applications, hardening of systems and applications, use of standard builds, and patch management) in a controlled manner. Determine whether management does the follow… (App A Objective 6.11, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Maintains procedures to guide the process of introducing changes to the environment. (App A Objective 6.11.a, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Management should have a process to introduce changes to the environment in a controlled manner. Changes to the IT environment include the following: - Configuration management of IT systems and applications. - Hardening of systems and applications. - Use of standard builds. - Patch management. (II.C.10 Change Management Within the IT Environment, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Change management. (App A Objective 12:12 e., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • The independence of the quality assurance function and the adequacy of controls over program changes including the: - parity of source and object programming code, - independent review of program changes, - comprehensive review of testing results, - management's approval before migration into produc… (TIER II OBJECTIVES AND PROCEDURES B.1 Bullet 6, FFIEC IT Examination Handbook - Audit, April 2012)
  • Verify that appropriate policies, standards, and processes address business continuity planning issues including: ▪ Security; ▪ Project management; ▪ Change control process; ▪ Data synchronization, back-up, and recovery; ▪ Crises management (responsibility for disaster declaration and deal… (Exam Tier I Obj 4.3, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • The organization should have a change management system implemented to ensure all changes are approved, documented, and disseminated. (Pg 31, Pg 32, Pg 51 thru Pg 54, Exam Obj 10.1, FFIEC IT Examination Handbook - Development and Acquisition)
  • The organization should have a change management policy. The policy should define what a change is and how to manage the change; describe the minimum standards for oversight, notification, and control; and control risk, testing, approval, implementation, and back-out or recovery procedures. The chan… (Pg 24, Pg 26, Pg 28, Exam Tier I Obj 1.3, Exam Tier I Obj 5.1, Exam Tier I Obj 8.2, FFIEC IT Examination Handbook - Operations, July 2004)
  • Any processes have been re-engineered during the past year. (App A Tier 1 Objectives and Procedures Objective 1:4 Bullet 5, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Determine whether the financial institution has enhanced its change management program to address the procedures involved in the RDC function and ensure ongoing compatibility between financial institution and customer systems. Describe the coordination process. (App A Tier 2 Objectives and Procedures N.11 Bullet 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Determine if the quality of management and staff, and the staffing levels are adequate for the specific retail payment products and processes the institution provides. • Obtain and review the following: o Reports showing staffing levels, turnover, and trends. o Biographies of managers and key staf… (Exam Tier I Obj 1.3, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
  • Software changes may require an update to the software review. (Pg 22, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, March 2003)
  • The organization should develop change management procedures to ensure the integrity of application software and hardware configurations. (Pg 20, Exam Tier I Obj 1.3, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
  • Adopt procedures for change management; and (§ 314.4 ¶ 1(c)(7), 16 CFR Part 314, Standards for Safeguarding Customer Information, Final Rule, Amended February 15, 2022)
  • The service provider must define the configuration change control element and the frequency or condition when it meets. (Column F: CM-3f, FedRAMP Baseline Security Controls)
  • The joint authorization board must approve and accept the Change Control element and the frequency and conditions of use, as defined by the service provider. (Column F: CM-3f, FedRAMP Baseline Security Controls)
  • Determines the types of changes to the information system that are configuration-controlled; (CM-3a. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and (SA-15a.4. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Determines the types of changes to the information system that are configuration-controlled; (CM-3a. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization must ensure information system changes are authorized, documented, and controlled. (§ 5.6.5, Exhibit 4 CM-3, Exhibit 6, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Procedures designed to ensure that member information system modifications are consistent with the credit union's information security program; (§ 748 Appendix A. III.C.1.d., 12 CFR Part 748, NCUA Guidelines for Safeguarding Member Information, July 1, 2001)
  • Has the Credit Union implemented change control procedures to ensure modifications are consistent with the information security program? (IT - 748 Compliance Q 6d, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Is the firewall rule Change Control Process automated? (IT - Firewalls Q 21, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Are policy changes deployed manually? (IT - IDS IPS Q 23, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Are the policy changes consistent at all of the sensors, if they are deployed manually? (IT - IDS IPS Q 23a, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Does the Credit Union have written Change Management procedures that include management approval, scheduled upgrades, testing, and implementation? (IT - Networks Q 28, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Is there an implemented approval process and review process for changes to the software and services running on the server? (IT - Servers Q 12, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Does the writte website operating policy include the website change procedures and the documentation that is required to be kept for all approved changes? (IT - Web Site Review Q 1e, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Change monitoring. (CA-7(4) ¶ 1(c), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Determine and document the types of changes to the system that are configuration-controlled; (CM-3a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and (SA-15a.4., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Change monitoring. (CA-7(4) ¶ 1(c), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Change monitoring. (CA-7(4) ¶ 1(c), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Determine and document the types of changes to the system that are configuration-controlled; (CM-3a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and (SA-15a.4., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Change monitoring. (CA-7(4) ¶ 1(c), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Monitor risk. Monitor risk exposure and the effectiveness of mitigating risk on an ongoing basis, including tracking changes to an information system or supply chain using effective enterprise communications and a feedback loop for continuous improvement. (2. ¶ 1 Bullet 4, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Determine and document the types of changes to the system that are configuration-controlled; (CM-3a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Determine and document the types of changes to the system that are configuration-controlled; (CM-3a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and (SA-15a.4., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Determine and document the types of changes to the system that are configuration-controlled; (CM-3a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and (SA-15a.4., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • The organization should have a change management program in place to maintain compatibility between the authentication system and the host computers whenever new software or hardware is added to the host computer system. (§ 8.4 ¶ 2, FIPS Pub 190, Guideline for the use of Advanced Authentication Technology Alternatives)
  • Configuration change control processes are in place (PR.IP-3, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • Organizational records and documents should be examined to ensure information system changes are controlled, changes are approved by appropriate managers in accordance with policies and procedures, and specific responsibilities and actions are defined for the implementation of the configuration chan… (CM-3, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Determines the types of changes to the information system that are configuration-controlled; (CM-3a. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Determines the types of changes to the information system that are configuration-controlled; (CM-3a. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and (SA-15a.4. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • A formal change management program should be established and procedures used to insure that all modifications to an ICS network meet the same security requirements as the original components identified in the asset evaluation and the associated risk assessment and mitigation plans. Risk assessment s… (§ 6.2.5 ICS-specific Recommendations and Guidance ¶ 1, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Follow vendor recommendations on all other servers and computers (DCS, PLC, instruments) that have time-dependent code, modified or extended the operating system or any other change that makes it different from any standard PC that one could buy at an office supply or computer store. Expect the vend… (§ 6.2.17.1 ICS-specific Recommendations and Guidance ¶ 3 Bullet 2, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Develop risk mitigation strategies to resolve vulnerabilities and recommend security changes to system or system components as needed. (T0076, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Supports incident management, service-level management, change management, release management, continuity management, and availability management for databases and data management systems. (T0306, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Configuration change control processes are established and in place. (PR.PO-P2, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • The organization should conduct periodic audits of the smart grid Information System to validate Change Management procedures and to verify an audit trail of reviews and approvals exists. (SG.AU-14 Supplemental Guidance 4, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should authorize and document all changes to the system. (SG.CM-3 Requirement 1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must keep and review records of all changes made to the smart grid system. (SG.CM-3 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should audit all activities that are associated with changes to the smart grid system. (SG.CM-3 Requirement 3, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • Track, review, approve/disapprove, and audit changes to information systems. (3.4.3, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
  • Track, review, approve or disapprove, and log changes to organizational systems. (3.4.3, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Track, review, approve or disapprove, and log changes to organizational systems. (3.4.3, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
  • The organization must determine the types of changes to the system that are configuration controlled. (App F § CM-3.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must require system developers and integrators to manage and control system changes. (App F § SA-10.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Supports incident management, service-level management, change management, release management, continuity management, and availability management for databases and data management systems. (T0306, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization determines the types of changes to the information system that are configuration-controlled. (CM-3a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization determines the types of changes to the information system that are configuration-controlled. (CM-3a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization determines the types of changes to the information system that are configuration-controlled. (CM-3a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Determines the types of changes to the information system that are configuration-controlled; (CM-3a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and (SA-15a.4., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Determines the types of changes to the information system that are configuration-controlled; (CM-3a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Determines the types of changes to the information system that are configuration-controlled; (CM-3a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and (SA-15a.4., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Determine and document the types of changes to the system that are configuration-controlled; (CM-3a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and (SA-15a.4., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Change monitoring. (CA-7(4) ¶ 1(c), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Determines the types of changes to the information system that are configuration-controlled; (CM-3a., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and (SA-15a.4., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Establish and document policies and procedures for assessing and maintaining configuration information, for tracking changes made to the pipeline cyber assets, and for patching/upgrading operating systems and applications. Ensure that the changes do not adversely impact existing cybersecurity contro… (Table 2: Asset Management Baseline Security Measures Cell 1, Pipeline Security Guidelines)
  • Ensure that any change that adds control operations to a non-critical pipeline cyber asset results in the system being recognized as a critical pipeline cyber asset and enhanced security measures being applied. (Table 2: Business Environment Baseline Security Measures Cell 1, Pipeline Security Guidelines)
  • Determines the types of changes to the information system that are configuration-controlled; (CM-3a., TX-RAMP Security Controls Baseline Level 2)