Back

Establish, implement, and maintain emergency change procedures.


CONTROL ID
00890
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a change control program., CC ID: 00886

This Control has the following implementation support Control(s):
  • Perform emergency changes, as necessary., CC ID: 12707


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • To enable unforeseen problems to be addressed in a timely and controlled manner, AIs should establish formal procedures to manage emergency changes. Emergency changes should be approved by the information owner (for application system or production data related changes) and other relevant parties at… (4.3.2, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • Urgent or emergency changes, such as a high priority security patch for an IT system, are changes that need to be implemented expeditiously and may not be able to follow the standard change management process. To reduce the risk to the security and stability of the production environment, the FI sho… (§ 7.5.6, Technology Risk Management Guidelines, January 2021)
  • The Change Management process must include the actions to follow before and after an urgent change is implemented. (Control: 0117, Australian Government Information Security Manual: Controls)
  • The change management process should define the actions to be taken before and after an emergency change is implemented. (§ 2.8.7, Australian Government ICT Security Manual (ACSI 33))
  • Financial institutions should establish and implement an ICT change management process to ensure that all changes to ICT systems are recorded, tested, assessed, approved, implemented and verified in a controlled manner. Financial institutions should handle the changes during emergencies (i.e. change… (3.6.3 75, Final Report EBA Guidelines on ICT and security risk management)
  • Emergency changes are to be classified as such by the change manager who creates the change documentation before applying the change to the production environment. Afterwards (e. g. within 5 working days), the change manager supplements the change documentation with a justification and the result of… (Section 5.11 BEI-10 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • The change control procedures should include a definition of the circumstances and the documentation requirements for emergency changes. (¶ 18.2, Good Practices For Computerized systems In Regulated GXP Environments)
  • Establish a process for defining, raising, testing, documenting, assessing and authorising emergency changes that do not follow the established change process. (AI6.3 Emergency Changes, CobiT, Version 4.1)
  • There should be documented standards / procedures for applying emergency fixes to business information, business applications, and technical infrastructure. (CF.11.03.01, The Standard of Good Practice for Information Security)
  • Standards / procedures should cover applying emergency fixes to business application software, systems software, parameter settings and business and system information within the live environment. (CF.11.03.02a, The Standard of Good Practice for Information Security)
  • A method of applying emergency fixes to software and business applications should be established, which includes applying them to Operating System and virtualization software. (CF.11.03.03a, The Standard of Good Practice for Information Security)
  • A method of applying emergency fixes to software and business applications should be established, which includes applying them to business software (e.g., Enterprise Resource Planning and Customer Relationship Management applications). (CF.11.03.03b, The Standard of Good Practice for Information Security)
  • A method of applying emergency fixes to software and business applications should be established, which includes applying them to Commercial Off-the-Shelf Software. (CF.11.03.03c, The Standard of Good Practice for Information Security)
  • A method of applying emergency fixes to software and business applications should be established, which includes applying them to security software (e.g., data leakage protection, Digital Rights Management, and Intrusion Detection Software). (CF.11.03.03d, The Standard of Good Practice for Information Security)
  • A method of applying emergency fixes to technical infrastructure should be established, which includes applying them to computer equipment (including servers, mobile devices, laptops, and netbooks). (CF.11.03.04a, The Standard of Good Practice for Information Security)
  • A method of applying emergency fixes to technical infrastructure should be established, which includes applying them to consumer devices (including tablets and smartphones). (CF.11.03.04b, The Standard of Good Practice for Information Security)
  • A method of applying emergency fixes to technical infrastructure should be established, which includes applying them to virtual systems (e.g., Virtual Servers and virtual desktops). (CF.11.03.04c, The Standard of Good Practice for Information Security)
  • A method of applying emergency fixes to technical infrastructure should be established, which includes applying them to network storage systems (including Storage Area Network and network-attached storage). (CF.11.03.04d, The Standard of Good Practice for Information Security)
  • A method of applying emergency fixes to technical infrastructure should be established, which includes applying them to network equipment (e.g., routers, switches, Wireless Access Points, and firewalls). (CF.11.03.04e, The Standard of Good Practice for Information Security)
  • A method of applying emergency fixes to technical infrastructure should be established, which includes applying them to telephony (including Voice over Internet Protocol) and conferencing equipment. (CF.11.03.04f, The Standard of Good Practice for Information Security)
  • A method of applying emergency fixes to technical infrastructure should be established, which includes applying them to office equipment (e.g., network printers and multifunction devices). (CF.11.03.04g, The Standard of Good Practice for Information Security)
  • A method of applying emergency fixes to technical infrastructure should be established, which includes applying them to specialist equipment (e.g., that which is used to support critical infrastructure). (CF.11.03.04h, The Standard of Good Practice for Information Security)
  • Once an emergency is over, emergency fixes should be checked to ensure that they are not left permanently in place. (CF.11.03.06d, The Standard of Good Practice for Information Security)
  • There should be documented standards / procedures for applying emergency fixes to business information, business applications, and technical infrastructure. (CF.11.03.01, The Standard of Good Practice for Information Security, 2013)
  • Standards / procedures should cover applying emergency fixes to business application software, systems software, parameter settings and business and system information within the live environment. (CF.11.03.02a, The Standard of Good Practice for Information Security, 2013)
  • A method of applying emergency fixes to software and business applications should be established, which includes applying them to Operating System and virtualization software. (CF.11.03.03a, The Standard of Good Practice for Information Security, 2013)
  • A method of applying emergency fixes to software and business applications should be established, which includes applying them to business software (e.g., Enterprise Resource Planning and Customer Relationship Management applications). (CF.11.03.03b, The Standard of Good Practice for Information Security, 2013)
  • A method of applying emergency fixes to software and business applications should be established, which includes applying them to Commercial Off-the-Shelf Software. (CF.11.03.03c, The Standard of Good Practice for Information Security, 2013)
  • A method of applying emergency fixes to software and business applications should be established, which includes applying them to security software (e.g., data leakage protection, Digital Rights Management, and Intrusion Detection Software). (CF.11.03.03d, The Standard of Good Practice for Information Security, 2013)
  • A method of applying emergency fixes to technical infrastructure should be established, which includes applying them to computer equipment (including servers, mobile devices, laptops, and netbooks). (CF.11.03.04a, The Standard of Good Practice for Information Security, 2013)
  • A method of applying emergency fixes to technical infrastructure should be established, which includes applying them to consumer devices (including tablets and smartphones). (CF.11.03.04b, The Standard of Good Practice for Information Security, 2013)
  • A method of applying emergency fixes to technical infrastructure should be established, which includes applying them to virtual systems (e.g., Virtual Servers and virtual desktops). (CF.11.03.04c, The Standard of Good Practice for Information Security, 2013)
  • A method of applying emergency fixes to technical infrastructure should be established, which includes applying them to network storage systems (including Storage Area Network and network-attached storage). (CF.11.03.04d, The Standard of Good Practice for Information Security, 2013)
  • A method of applying emergency fixes to technical infrastructure should be established, which includes applying them to network equipment (e.g., routers, switches, Wireless Access Points, and firewalls). (CF.11.03.04e, The Standard of Good Practice for Information Security, 2013)
  • A method of applying emergency fixes to technical infrastructure should be established, which includes applying them to telephony (including Voice over Internet Protocol) and conferencing equipment. (CF.11.03.04f, The Standard of Good Practice for Information Security, 2013)
  • A method of applying emergency fixes to technical infrastructure should be established, which includes applying them to office equipment (e.g., network printers and multifunction devices). (CF.11.03.04g, The Standard of Good Practice for Information Security, 2013)
  • A method of applying emergency fixes to technical infrastructure should be established, which includes applying them to specialist equipment (e.g., that which is used to support critical infrastructure). (CF.11.03.04h, The Standard of Good Practice for Information Security, 2013)
  • Once an emergency is over, emergency fixes should be checked to ensure that they are not left permanently in place. (CF.11.03.06d, The Standard of Good Practice for Information Security, 2013)
  • Documented procedures shall exist for managing emergency changes. (§ 9.2 ¶ 4, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The service provider shall document the definition of an emergency release and manage them according to documented procedures that are interfaced with the emergency change procedures. (§ 9.3 ¶ 3, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • Emergency changes are sometimes required, and an emergency change process should be streamlined and documented. (§ 9.2.3, ISO 20000-2 Information technology - Service Management Part 2, 2005)
  • Procedures exist to provide that emergency changes are documented and authorized in a timely way. (Security Prin. and Criteria Table § 3.14, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Procedures exist to provide that emergency changes are documented and authorized in a timely way. (Availability Prin. and Criteria Table § 3.17, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Procedures exist to provide that emergency changes are documented and authorized in a timely way. (Processing Integrity Prin. and Criteria Table § 3.18, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Procedures exist to provide that emergency changes are documented and authorized in a timely way. (Confidentiality Prin. and Criteria Table § 3.20, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • A process is in place for authorizing, designing, testing, approving and implementing changes necessary in emergency situations (that is, changes that need to be implemented in an urgent timeframe). (CC8.1 Provides for Changes Necessary in Emergency Situations, Trust Services Criteria)
  • A process is in place for authorizing, designing, testing, approving, and implementing changes necessary in emergency situations (that is, changes that need to be implemented in an urgent time frame). (CC8.1 ¶ 2 Bullet 13 Provides for Changes Necessary in Emergency Situations, Trust Services Criteria, (includes March 2020 updates))
  • CSR 3.5.5: The organization must implement procedures for controlling emergency changes, including authorizing and documenting the emergency changes; reporting the changes; and reviewing the changes by an independent IT supervisor. CSR 6.1.1: The organization must document emergency changes, have th… (CSR 3.5.5, CSR 6.1.1, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The change control policy should have procedures for implementing changes quickly in the event of an emergency. (Pg 30, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • Emergency changes are changes that should be made quickly because of security or processing problems. The procedures for making these changes should be the same as routine changes but should be expedited expeditiously. Emergency change procedures should include reviews and authorizations; testing; b… (Pg 32, Pg 54, FFIEC IT Examination Handbook - Development and Acquisition)
  • Emergency change procedures should be in place in the event the change requires immediate attention. (Pg 33, FFIEC IT Examination Handbook - Operations, July 2004)
  • (CC-2.2, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • Are there implemented policies and procedures for handling emergency software fixes and temporary software fixes, as well as new releases or upgrades? (IT - Networks Q 30, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Organizations should consider using the same general approach for emergency patching as for routine patching, except with a highly accelerated schedule. Even under emergency circumstances, it may still be beneficial to first deploy a new patch to a small number of canary assets to confirm that the p… (3.5.2 ¶ 1, Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology, NIST SP 800-40, Revision 4)
  • The plan should also indicate requirements for the timely replacement of components in the case of an emergency. If possible, replacements for hard-to-obtain critical components should be kept in inventory. (§ 6.2.6.2 ICS-specific Recommendations and Guidance ¶ 2, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Approaches to applying cyber resiliency techniques vary in maturity and adoption. The decision to use less mature technologies depends on the organization's risk management strategy and its strategy for managing technical risks. Many highly mature and widely adopted technologies and processes that w… (3.1.8 ¶ 1, NIST SP 800-160, Developing Cyber-Resilient Systems: A Systems Security Engineering Approach, Volume 2, Revision 1)