Back

Perform risk assessments prior to approving change requests.


CONTROL ID
00888
CONTROL TYPE
Testing
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a change control program., CC ID: 00886

This Control has the following implementation support Control(s):
  • Conduct network certifications prior to approving change requests for networks., CC ID: 13121


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Emergency changes should be logged and backed up (including the previous and changed program versions and data) so that recovery of previous program versions and data files is possible if necessary. Emergency changes need to be reviewed by independent personnel to ensure that the changes are proper … (4.3.3, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • App 2-1 Item Number IV.9(3): The impact of introducing or replacing hardware, software, and/or the network must be assessed. This is a control item that constitutes a greater risk to financial information. This is an IT general control. App 2-1 Item Number V.2(2): The organization must survey and an… (App 2-1 Item Number IV.9(3), App 2-1 Item Number IV.2(2), App 2-1 Item Number VI.6.1(2), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • When a new system is developed or an existing system is changed, the organization should examine if the development or change is consistent with the existing system. The organization should maintain development and change logs. (Practice Standard § I.2(6)[IT Controls].B.a, On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting, Provisional Translation)
  • O56.3(5): The organization should consider effects on business operations that can result from unauthorized access before applying modified versions of programs. T15.1: The organization should determine the impact of changes and additions at the time the change or addition is made to minimize the i… (O56.3(5), T15.1, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Any changes to an application system/data need to be justified by genuine business need and approvals supported by documentation and subjected to a robust change management process. The change management would involve generating a request, risk assessment, authorization from an appropriate authority… (Critical components of information security 11) c.12., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The potential business impacts of changes should be assessed (for e.g., in terms of the overall risk and impact on other components of the application) (Critical components of information security 20) iii. Bullet 2, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Performing or delegating the following - day-to-day security administration, approval of exception access requests, appropriate actions on security violations when notified by the security administration, the review and approval of all changes to the application prior to being placed in the producti… (Application owner ¶ 1 Bullet 3, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The FI should perform an assessment to ascertain the importance of these applications to the business. (§ 6.4.2, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • Prior to deploying changes to the production environment, the FI should perform a risk and impact analysis of the change request in relation to existing infrastructure, network, up-stream and downstream systems. The FI should also determine if the introduced change would spawn security implications … (§ 7.1.3, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • A risk and impact analysis of the change to an information asset should be conducted before implementing the change. The analysis should cover factors such as security and implications of the change in relation to other information assets. (§ 7.5.2, Technology Risk Management Guidelines, January 2021)
  • assessment of potential security impacts (Security Control: 1211; Revision: 3; Bullet 3, Australian Government Information Security Manual)
  • The Change Management process should include conducting vulnerability management activities whenever a significant change has been made. (Control: 0912 Bullet 5, Australian Government Information Security Manual: Controls)
  • The organization must update the Security Risk Management Plan before making any changes to the gateway to ensure that all security risks have been accepted. (Control: 0624, Australian Government Information Security Manual: Controls)
  • Effective Change Control should include assessing the impact of the changes. (Attach A ¶ 2, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • Ongoing security of existing software would also typically be considered as part of change management and as new vulnerabilities are identified. Typical factors to consider include: (Attachment D 2., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • Implementation controls minimise risk of new vulnerabilities from system change, systems are secure by design (Attachment G Control Objective Row 11, APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • APRA envisages that a regulated institution would include IT security considerations throughout the software development life-cycle including requirements-gathering, design, programming, testing and implementation phases. Ongoing security of existing software would also normally be considered as par… (Attachment D ¶ 2, The AD_offical_Name should be: APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • APRA envisages that a regulated institution would regularly assess IT security vulnerabilities and evaluate the effectiveness of the existing IT security risk management framework, making any necessary adjustments to ensure emerging vulnerabilities are treated in a timely manner. This assessment wou… (¶ 30, The AD_offical_Name should be: APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Furthermore, on an ongoing basis, financial institutions should determine whether changes in the existing operational environment influence the existing security measures or require adoption of additional measures to mitigate related risks appropriately. These changes should be part of the financial… (3.4.4 37, Final Report EBA Guidelines on ICT and security risk management)
  • Financial institutions should determine whether changes in the existing operational environment influence the existing security measures or require the adoption of additional measures to mitigate the risks involved. These changes should be in accordance with the financial institutions' formal change… (3.6.3 76, Final Report EBA Guidelines on ICT and security risk management)
  • an independent review and validation processes to reduce the risks for human errors when performing changes to the ICT systems that may have an important adverse effect on the availability, continuity or security of the institution (e.g. important changes to the firewall configuration), or security … (Title 3 3.3.4(c) 56.i, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • documented processes for managing and controlling changes to ICT systems (e.g.configuration and patch management) and data (e.g. bug fixing or data corrections), ensuring the adequate involvement of ICT risk management for important ICT changes that may significantly impact the institution's risk pr… (Title 3 3.3.4(c) 56.a, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • All changes are categorised on the basis of a risk assessment (e. g. as insignificant, significant or far-reaching impacts) in order to obtain an appropriate authorisation prior to making the change available to the production environment. (Section 5.11 BEI-05 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • All changes are prioritised on the basis of a risk assessment (e. g. as low, normal, high, emergency) in order to obtain an appropriate authorisation prior to making the change available to the production environment. (Section 5.11 BEI-06 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • The principal of a change performs a risk assessment beforehand. All configuration objects which might be affected by the change are assessed with regard to potential impacts. The result of the risk assessment is documented appropriately and comprehensively. (Section 5.11 BEI-04 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • The purpose of the change enablement practice is to maximize the number of successful service and product changes by ensuring that risks have been properly assessed, authorizing changes to proceed, and managing the change schedule. (5.2.4 ¶ 1, ITIL Foundation, 4 Edition)
  • The change control procedures should include the impact of the changes on the system status and controls. (¶ 18.1 Bullet 2, Good Practices For Computerized systems In Regulated GXP Environments)
  • The change control procedures should include the methods used to assess the full impact of the change, including regression analysis and regression testing. (¶ 18.1 Bullet 6, Good Practices For Computerized systems In Regulated GXP Environments)
  • Assess all requests for change in a structured way to determine the impact on the operational system and its functionality. Ensure that changes are categorised, prioritised and authorised. (AI6.2 Impact Assessment, Prioritisation and Authorisation, CobiT, Version 4.1)
  • Examine the documented change control procedures for software modifications and security patches to verify it includes procedures for documenting the impact of the change. (Testing Procedures § 6.4.5.a Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview responsible personnel for sampled changes to verify the documentation of impact is included in the change control documentation. (Testing Procedures § 6.4.5.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • The organization must ensure the change control procedures include an impact assessment of the proposed changes. (§ 6.4.5.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Verify that documentation of impact is included in the change control documentation for each sampled change. (§ 6.4.5.1 Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • The Change Control procedures for implementing software modifications and security patches must include documentation of the impact. (PCI DSS Requirements § 6.4.5.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • A risk assessment must be conducted at least annually and after significant changes to the environment. (PCI DSS Requirements § 12.2 Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Each system change should include a document stating the impact of the change to the customers. (§ 5.3.1, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1)
  • Are change-control procedures for implementing security patches and software modifications documented and require documentation of impact? (PCI DSS Question 6.4.5(a) Bullet 1, PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Is a documentation of impact performed and documented for all changes? (PCI DSS Question 6.4.5.1, PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Are change-control procedures for implementing security patches and software modifications documented and require documentation of impact? (PCI DSS Question 6.4.5(a) Bullet 1, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Is a documentation of impact performed and documented for all changes? (PCI DSS Question 6.4.5.1, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Are change-control procedures for implementing security patches and software modifications documented and require documentation of impact? (PCI DSS Question 6.4.5(a) Bullet 1, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Is a documentation of impact performed and documented for all changes? (PCI DSS Question 6.4.5.1, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • The organization identifies and assesses changes that could significantly impact the system of internal control. (§ 3 Principle 9 ¶ 1, COSO Internal Control - Integrated Framework (2013))
  • The potential impact of changes on regulatory compliance must be included in the change approval process. The following questions should be asked to aid in making good change management decisions: Is the change really needed? When changes are not allowed, are scheduled maintenance and change freeze … (§ 3.3 ¶ 3, § 4.5 ¶ 4, § 4.6, IIA Global Technology Audit Guide (GTAG) 2:Change and Patch Management Controls: Critical for Organizational Success)
  • Target environments shall be subject to an information risk assessment prior to significant changes (at an early stage in the Change Control Process). (SR.01.01.04b, The Standard of Good Practice for Information Security)
  • Prior to changes being applied to the live environment, the potential business impacts of changes should be assessed (e.g., in terms of overall risk and impact on other components of Information Systems and networks). (CF.07.06.03c, The Standard of Good Practice for Information Security)
  • The information security policy should require that important systems be subject to an information risk assessment before a major change. (CF.01.01.03c-2, The Standard of Good Practice for Information Security)
  • Changes to critical desktop applications should be reviewed to ensure that they do not adversely affect intended functionality or compromise security controls. (CF.13.04.11b, The Standard of Good Practice for Information Security)
  • Target environments shall be subject to an information risk assessment prior to significant changes (at an early stage in the Change Control Process). (SR.01.01.04b, The Standard of Good Practice for Information Security, 2013)
  • Prior to changes being applied to the live environment, the potential business impacts of changes should be assessed (e.g., in terms of overall risk and impact on other components of Information Systems and networks). (CF.07.06.03c, The Standard of Good Practice for Information Security, 2013)
  • The information security policy should require that important systems be subject to an information risk assessment before a major change. (CF.01.01.03c-2, The Standard of Good Practice for Information Security, 2013)
  • Changes to critical desktop applications should be reviewed to ensure that they do not adversely affect intended functionality or compromise security controls. (CF.13.04.11b, The Standard of Good Practice for Information Security, 2013)
  • Manage the risks associated with applying changes to organization assets, including application, systems, infrastructure, configuration, etc., regardless of whether the assets are managed internally or externally (i.e., outsourced). (CCC-03, Cloud Controls Matrix, v4.0)
  • Manage and adopt changes to cryptography-, encryption-, and key management-related systems (including policies and procedures) that fully account for downstream effects of proposed changes, including residual risk, cost, and benefits analysis. (CEK-06, Cloud Controls Matrix, v4.0)
  • Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for managing the risks associated with applying changes to organization assets, including application, systems, infrastructure, configuration, etc., regardless of whether the assets are managed internally… (CCC-01, Cloud Controls Matrix, v4.0)
  • The organization shall ensure design and development change reviews include evaluating the effect of the change on the already delivered product and constituent parts. (§ 7.3.7, ISO 13485:2003 Medical devices -- Quality management systems -- Requirements for regulatory purposes, 2003)
  • The service provider shall consider the potential financial impact, technical impact, and organizational impact of delivering the new or changed services, along with its potential impact on the service management system. (§ 5.2 ¶ 2, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The service provider shall assess the impact of change requests for the service continuity plan and the availability plan. (§ 6.3.2 ¶ 5, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • Change requests shall be assessed to identify the potential impact of the change on existing policies and controls. (§ 6.6.3 ¶ 1(b), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • Documented procedures shall exist for recording, classifying, assessing, and approving change requests. (§ 9.2 ¶ 3, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • Change requests shall be assessed with information from the Change Management process and other processes. (§ 9.2 ¶ 7, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • Accurate configuration information should be available to support the planning and control of changes as new and updated services and systems are released and distributed. The result should be an efficient system that integrates the organization's configuration information processes and those of its… (§ 9.1.1, ISO 20000-2 Information technology - Service Management Part 2, 2005)
  • Prior to approving changes, an assessment should be made as to what the impact of the change will be on the organization. (§ 10.1.2, ISO 27002 Code of practice for information security management, 2005)
  • § 6.2.3: For software systems assigned to Class B and Class C software safety classes, the medical device manufacturer shall analyze change requests to determine each of their effects on release software products, the organization, and the systems with which they interface. § 7.4.1: For software s… (§ 6.2.3, § 7.4.1, § 7.4.2, ISO 62304 - 2006 Medical device software - Software life cycle processes, 2006)
  • The organization shall identify, review and control changes made during, or subsequent to, the design and development of products and services, to the extent necessary to ensure that there is no adverse impact on conformity to requirements. (8.3.6 ¶ 1, ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • Risks associated with any planned change, permanent or temporary that can have an impact on achieving the IT asset management objectives, shall be assessed before the change is implemented. (Section 8.2 ¶ 1, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • capacity, service availability, service continuity and information security; (§ 8.5.1.3 ¶ 1(d), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • At planned intervals, the organization shall review the contract against current service requirements. Changes identified for the contract shall be assessed for the impact of the change on the SMS and the services before the change is approved. (§ 8.3.4.1 ¶ 6, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • existing services; (§ 8.5.1.3 ¶ 1(a), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • other requests for change, releases and plans for deployment. (§ 8.5.1.3 ¶ 1(e), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • The organization's change management process explicitly considers cyber risks, in terms of residual cyber risks identified both prior to and during a change, and of any new cyber risk created post-change. (PR.IP-3.1, CRI Profile, v1.2)
  • The organization's change management process explicitly considers cyber risks, in terms of residual cyber risks identified both prior to and during a change, and of any new cyber risk created post-change. (PR.IP-3.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The organization analyzes changes to the information system to determine potential security impacts prior to change implementation. (CM-4 Control, StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • The organization analyzes changes to the information system to determine potential security impacts prior to change implementation. (CM-4 Control, StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • The organization analyzes changes to the information system to determine potential security impacts prior to change implementation. (CM-4 Control, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The organization analyzes changes to the information system to determine potential security impacts prior to change implementation. (CM-4 Control, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The entity identifies and assesses changes that could significantly impact the system of internal control. (CC3.4 COSO Principle 9:, Trust Services Criteria)
  • The entity identifies and assesses changes that could significantly impact the system of internal control. (CC3.4 ¶ 1 COSO Principle 9:, Trust Services Criteria, (includes March 2020 updates))
  • Does the operation Change Management/Change Control policy or program include review of proposed changes? (§ G.2.2, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Does the operation Change Management/Change Control policy or program include review for potential security impact? (§ G.2.5, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Does the operation Change Management/Change Control policy or program include review for potential operational impact? (§ G.2.6, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Does the documented Change Management/Change Control Process include an impact assessment to review all affected systems and applications? (§ I.2.22.9, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • The Information Systems Security Officer should review all proposed changes to the information system to determine if there are any security implications. (§ 2-14.c(3), Army Regulation 380-19: Information Systems Security, February 27, 1998)
  • CSR 3.5.2: The organization must have up-to-date controls to identify, select, install, and modify system software. These controls include business and mission impact analyses; cost and benefits analyses, and the impact on processing security and reliability. CSR 4.1.3: The organization must include… (CSR 3.5.2, CSR 4.1.3, CSR 10.7.6, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Analyze the security impact of changes prior to implementation. (CM.2.066, Cybersecurity Maturity Model Certification, Version 1.0, Level 2)
  • Analyze the security impact of changes prior to implementation. (CM.2.066, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Analyze the security impact of changes prior to implementation. (CM.2.066, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Analyze the security impact of changes prior to implementation. (CM.2.066, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Analyze the security impact of changes prior to implementation. (CM.L2-3.4.4 Security Impact Analysis, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
  • Information System changes must be assessed for accreditation impact and Information Assurance before being implemented. (DCII-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Changes to the dod Information System are assessed for ia and accreditation impact prior to implementation. (DCII-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Testing, which documents that the change performs as intended, identifies flaws, and verifies that the change integrates with other systems. (App A Objective 6:4e, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Financial institution boards should oversee, while senior management should implement, an IT planning process with the following elements: - Long-term goals and the allocation of IT resources to achieve them, usually within a three- to five-year horizon. - Alignment of the IT strategic plan with the… (I.B.6 Planning IT Operations and Investment, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Identify whether the institution has a proactive process in place to effectively update its measurement of risk before implementing system changes, rolling out new products or services, or confronting new external conditions. (App A Objective 11:3, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Including information security risks when developing, implementing, or updating products. (App A Objective 12:8 d., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Reviewing major changes to applications or the operating system; (TIER I OBJECTIVES AND PROCEDURES Objective 10:3. Bullet 2, FFIEC IT Examination Handbook - Audit, April 2012)
  • Change control forms should be used for all changes. They should collect enough information to understand the impact of the change. (Pg 53, FFIEC IT Examination Handbook - Development and Acquisition)
  • Whether the institution introduced any existing products into new markets within the past year. (App A Tier 1 Objectives and Procedures Objective 1:2 Bullet 2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • The organization analyzes changes to the information system to determine potential security impacts prior to change implementation. (CM-4 High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization analyzes changes to the information system to determine potential security impacts prior to change implementation. (CM-4 Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization analyzes changes to the information system to determine potential security impacts prior to change implementation. (CM-4 Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization must conduct a security impact analysis of all proposed changes to the system to determine the effect of the changes prior to their implementation. (§ 5.6.5, Exhibit 4 CM-4, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Analyze changes to the system to determine potential security and privacy impacts prior to change implementation. (CM-4 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Analyze changes to the system to determine potential security and privacy impacts prior to change implementation. (CM-4 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Analyze changes to the system to determine potential security and privacy impacts prior to change implementation. (CM-4 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Analyze changes to the system to determine potential security and privacy impacts prior to change implementation. (CM-4 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Analyze changes to the system to determine potential security and privacy impacts prior to change implementation. (CM-4 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Analyze changes to the system to determine potential security and privacy impacts prior to change implementation. (CM-4 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Configuration Management (CM): Organizations must: (i) establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles; and (ii) establish and enf… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • Organizational records and documents should be examined to ensure changes to the system are monitored, security impact assessments are conducted on proposed changes, and specific responsibilities and actions are defined for the implementation of the monitoring configuration change control. Any probl… (CM-4, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • The organization should fully understand the security, personnel, operational, and technical requirements for implementing and deploying security features or products prior to doing so. (Table 4-2 Item 30, Guide to Bluetooth Security, NIST SP 800-121, September 2008)
  • The organization analyzes changes to the information system to determine potential security impacts prior to change implementation. (CM-4 Control: Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization analyzes changes to the information system to determine potential security impacts prior to change implementation. (CM-4 Control: Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization analyzes changes to the information system to determine potential security impacts prior to change implementation. (CM-4 Control: High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • A formal change management program should be established and procedures used to insure that all modifications to an ICS network meet the same security requirements as the original components identified in the asset evaluation and the associated risk assessment and mitigation plans. Risk assessment s… (§ 6.2.5 ICS-specific Recommendations and Guidance ¶ 1, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization should analyze changes to the system for potential security impacts before implementing the changes. (SG.CM-4 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • Analyze the security impact of changes prior to implementation. (3.4.4, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
  • Analyze the security impact of changes prior to implementation. (3.4.4, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Analyze the security impact of changes prior to implementation. (3.4.4, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
  • The organization must analyze system changes to determine potential security impacts before the change is implemented. (App F § CM-4, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must consider the Industrial Control System safety and security interdependencies during the security impact analysis for system changes. (App I § CM-4, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses. (CM-3b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization analyzes changes to the information system to determine potential security impacts prior to change implementation. (CM-4 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to document approved changes to the system, component, or service and the potential security impacts of such changes. (SA-10d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses. (CM-3b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization analyzes changes to the information system to determine potential security impacts prior to change implementation. (CM-4 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to document approved changes to the system, component, or service and the potential security impacts of such changes. (SA-10d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization analyzes changes to the information system to determine potential security impacts prior to change implementation. (CM-4 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses. (CM-3b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization analyzes changes to the information system to determine potential security impacts prior to change implementation. (CM-4 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to document approved changes to the system, component, or service and the potential security impacts of such changes. (SA-10d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization analyzes changes to the information system to determine potential security impacts prior to change implementation. (CM-4 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization analyzes changes to the information system to determine potential security impacts prior to change implementation. (CM-4 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • The organization analyzes changes to the information system to determine potential security impacts prior to change implementation. (CM-4 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The organization analyzes changes to the information system to determine potential security impacts prior to change implementation. (CM-4 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Analyze changes to the system to determine potential security and privacy impacts prior to change implementation. (CM-4 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • The organization analyzes changes to the information system to determine potential security impacts prior to change implementation. (CM-4 Control:, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • The organization analyzes changes to the information system to determine potential security impacts prior to change implementation. (CM-4 Control, TX-RAMP Security Controls Baseline Level 1)
  • The organization analyzes changes to the information system to determine potential security impacts prior to change implementation. (CM-4 Control, TX-RAMP Security Controls Baseline Level 2)