Back

Update associated documentation after the system configuration has been changed.


CONTROL ID
00891
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a change control program., CC ID: 00886

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain a configuration change log., CC ID: 08710
  • Document approved configuration deviations., CC ID: 08711


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • App 2-1 Item Number V.3(1): Documentation changes must be approved by the persons in charge of the user and maintenance departments prior to modifications being made. Modifications to program design documents and system design documents must be completed in accordance with the maintenance plan. This… (App 2-1 Item Number V.3(1), App 2-1 Item Number VI.1.2(3), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • The organization should review the documentation procedures on a regular basis in response to changes in operational requirements and development methods. (O70.1, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • The manuals should be reviewed according to the predefined procedures each time any changes are made to the systems and then kept up to date. (P23.1. ¶ 2, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • the maintenance of system and security documentation. (Security Control: 1211; Revision: 3; Bullet 6, Australian Government Information Security Manual, March 2021)
  • The Change Management process should include updating the information security documentation. (Control: 0912 Bullet 7, Australian Government Information Security Manual: Controls)
  • The organization must ensure that all information security documentation is updated for routine changes and urgent changes. (Control: 0115 Bullet 4, Australian Government Information Security Manual: Controls)
  • The organization should update the configuration information after every legitimate system change. (Control: 0386 Bullet 3, Australian Government Information Security Manual: Controls)
  • Appropriate documents should be modified whenever changes are made. (§ 2.8.7, § 2.8.10, Australian Government ICT Security Manual (ACSI 33))
  • The mechanisms triggering the change management process are to be integrated into the corresponding processes (e.g. personnel administration, building management, inventories). The Security Officer acts as a controlling body. The owner of a particular document is responsible for updating the documen… (§ 5.2.3 Subsection 3 ¶ 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • The basic approach of the organisation for checking and improving the information security process should be documented in a corresponding policy and should be passed by the management level. The policy for checking and improving the information security level particularly should stipulate how inter… (§ 10.3 ¶ 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Operational (e.g. use of new IT systems, moves) and organisational changes (e.g. outsourcing) and changes of legal requirements must be incorporated into the security concept as early as the planning phase. The security concept and the related documentation must be updated with each relevant change.… (§ 10.2 Subsection 1 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Emergency changes are to be classified as such by the change manager who creates the change documentation before applying the change to the production environment. Afterwards (e. g. within 5 working days), the change manager supplements the change documentation with a justification and the result of… (Section 5.11 BEI-10 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • (§ 3.3.4, OGC ITIL: Security Management)
  • The change control procedures should include the method for showing the 'change' status of the documentation. (¶ 18.1 Bullet 5, Good Practices For Computerized systems In Regulated GXP Environments)
  • Whenever changes are implemented, update the associated system and user documentation and procedures accordingly. (AI6.5 Change Closure and Documentation, CobiT, Version 4.1)
  • Establish a tracking and reporting system to document rejected changes, communicate the status of approved and in-process changes, and complete changes. Make certain that approved changes are implemented as planned. (AI6.4 Change Status Tracking and Reporting, CobiT, Version 4.1)
  • (Principle 7.18, ISACA Cross-Border Privacy Impact Assessment)
  • Examine the data flow diagram and interview personnel to verify the data flow diagram is kept up-to-date and updated when the environment changes. (Testing Procedures § 1.1.3 Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • The documentation should be updated on an annual basis or whenever changes are made to the software. (§ 14.1.2, § 14.2.1, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1)
  • Upon completion of a significant change, all applicable PCI DSS requirements are confirmed to be in place on all new or changed systems and networks, and documentation is updated as applicable. (6.5.2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Upon completion of a change, all relevant PCI DSS requirements are confirmed to be implemented on all new or changed systems and networks, and documentation is updated as applicable. (A3.2.2.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine documentation for significant changes, interview personnel, and observe the affected systems/networks to verify that the entity confirmed applicable PCI DSS requirements were in place on all new or changed systems and networks and that documentation was updated as applicable. (6.5.2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Upon completion of a significant change, all applicable PCI DSS requirements are confirmed to be in place on all new or changed systems and networks, and documentation is updated as applicable. (6.5.2, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Upon completion of a significant change, all applicable PCI DSS requirements are confirmed to be in place on all new or changed systems and networks, and documentation is updated as applicable. (6.5.2, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Upon completion of a significant change, all applicable PCI DSS requirements are confirmed to be in place on all new or changed systems and networks, and documentation is updated as applicable. (6.5.2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Upon completion of a significant change, all applicable PCI DSS requirements are confirmed to be in place on all new or changed systems and networks, and documentation is updated as applicable. (6.5.2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Change management processes must be documented in order to reduce the ongoing effort to map, validate, and certify changes to support Sarbanes-Oxley compliance. (§ 3.3 ¶ 4, IIA Global Technology Audit Guide (GTAG) 2:Change and Patch Management Controls: Critical for Organizational Success)
  • The organization must develop, implement, and maintain procedures for ensuring that documents are identified with the current revision status and changes. (§ 4.4.5 ¶ 2(c), Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • Arrangements should be made to ensure that once changes have been applied, documents associated with Information Systems and networks are updated (e.g., design information, system configuration, implementation details, and records of all changes to Information Systems and networks). (CF.07.06.05e, The Standard of Good Practice for Information Security)
  • Once an emergency is over, emergency fixes should be documented. (CF.11.03.06b, The Standard of Good Practice for Information Security)
  • Arrangements should be made to ensure that once changes have been applied, documents associated with Information Systems and networks are updated (e.g., design information, system configuration, implementation details, and records of all changes to Information Systems and networks). (CF.07.06.05e, The Standard of Good Practice for Information Security, 2013)
  • Once an emergency is over, emergency fixes should be documented. (CF.11.03.06b, The Standard of Good Practice for Information Security, 2013)
  • The Risk Management plan shall be updated whenever the medical Information Technology network is changed. (§ 4.3.5 ¶ 2, Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • The project plan shall be updated whenever the project changes. (§ 4.5.2.3 ¶ 2, Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • The organization shall correct relevant documents and make personnel aware of any changed requirements when the requirements are changed. (§ 7.2.2 ¶ 4, ISO 13485:2003 Medical devices -- Quality management systems -- Requirements for regulatory purposes, 2003)
  • Flaw remediation documentation should include the following: the process for users to submit reports; procedures for accepting security flaw reports; procedures used to track the reported security flaws; corrective actions for each flaw; the effect of the security flaw on the product; the methods us… (§ 17.2, ISO 15408-3 Common Criteria for Information Technology Security Evaluation Part 3, 2008)
  • All reported security flaws should be tracked and documented from the time they are reported through their resolutions. Flaws that are not security-related do not need to be tracked. Identified security flaws should be described in terms of their effects and have corrective actions associated with t… (§ 14.1 thru § 14.3, ISO 18045 Common Methodology for Information Technology Security Evaluation Part 3, 2005)
  • The organization shall establish documented procedures, including authorities and responsibilities, for ensuring that changes and the current revision status are identified. (§ 4.3.2 ¶ 2(d), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The new or changed services shall be designed and documented to include any new or changed policies or plans. (§ 5.3 ¶ 1(f), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The Configuration Management Database records shall be updated after the successful deployment of changes. (§ 9.2 ¶ 12, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • Change reporting to be conducted during each change and analyzed regularly to detect increasing levels of change, frequently recurring types, and emerging trends. (§ 9.2.4, ISO 20000-2 Information technology - Service Management Part 2, 2005)
  • All changes to the system should be documented. The changes should be approved by management prior to being implemented. (§ 10.1.2, § 12.5.1, ISO 27002 Code of practice for information security management, 2005)
  • For software systems assigned to Class A, Class B, and Class C software safety classes, the medical device manufacturer shall implement the changes as specified in change requests and shall identify and carry out tasks that need to be repeated due to the change, including changing the software safet… (§ 8.2.2, ISO 62304 - 2006 Medical device software - Software life cycle processes, 2006)
  • Document changes to planned control implementations based on the "as-implemented" state of controls. (TASK I-2, Risk Management Framework for Information Systems and Organizations, A System Life Cycle Approach for Security and Privacy, NIST SP 800-37, Revision 2)
  • A process is in place to document system changes to support ongoing maintenance of the system and to support internal and external users in performing their responsibilities. (CC8.1 ¶ 3 Bullet 4 Documents Changes, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Does the operation Change Management/Change Control policy or program include documentation of changes? (§ G.2.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Does the documented Change Management/Change Control Process include documentation for all system changes? (§ I.2.22.10, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • CSR 6.3.13: The organization must update the documentation for hardware, software, operating personnel, and system users when implementing a new or modified system or when adding or modifying system security controls. CSR 10.7.6: The organization must record the installation of information system co… (CSR 6.3.13, CSR 10.7.6, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Must follow a change management and connection approval process that documents all aspects of approved connections and system modification (Section 5.10.1.1.2 ¶ 3 Bullet 3, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Unless specifically noted, document changes shall be reviewed and approved by individual(s) in the same function or organization that conducted the original review and approval. Approved changes shall be communicated in a timely manner. Records of the changes to documents shall be maintained and inc… (§ 820.40(b), 21 CFR Part 820, Subchapter H - Medical Devices, Part 820 Quality System Regulation)
  • Documentation shall be periodically reviewed and updated, as needed, due to changes in the environment or operations that affect the security of the electronic protected health information. (§ 164.316(b)(2)(iii), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Updates (Required). Review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information. (§ 164.316(b)(2)(iii), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • All necessary verification and validation tasks should be conducted to ensure planned changes are implemented correctly, documentation is up-to-date and complete, and unacceptable changes have not occurred. (§ 5.2.7 ¶ 5 Bullet 5, General Principles of Software Validation; Final Guidance for Industry and FDA Staff, Version 2.0)
  • All documents that have been affected by a software change should be updated. (§ 5.2.7 ¶ 5 Bullet 6, General Principles of Software Validation; Final Guidance for Industry and FDA Staff, Version 2.0)
  • A documentation process to ensure the institution's information assets and technology inventory and disaster recovery plans are updated as appropriate when patches are applied. (App A Objective 6.15.g, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Updating audit procedures, software, and documentation for changes in the systems or environment; and (TIER I OBJECTIVES AND PROCEDURES Objective 10:3. Bullet 3, FFIEC IT Examination Handbook - Audit, April 2012)
  • The independence of the quality assurance function and the adequacy of controls over program changes including the: - parity of source and object programming code, - independent review of program changes, - comprehensive review of testing results, - management's approval before migration into produc… (TIER II OBJECTIVES AND PROCEDURES B.1 Bullet 6, FFIEC IT Examination Handbook - Audit, April 2012)
  • When changes are made to an application or system, the continuity plan should be updated and the organization should ensure the alternate site can support the new application or system. (Pg 30, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • All changes should be documented according to the organizational standards. (Pg 57, Pg 58, Exam Obj 7.1, Exam Obj 10.1, FFIEC IT Examination Handbook - Development and Acquisition)
  • Procedures should be updated whenever there are changes made to a product. (Pg 17, FFIEC IT Examination Handbook - Operations, July 2004)
  • The organization shall implement revision and change control procedures for system documentation that include maintaining audit trails that document the time-sequenced development and modification of systems documentation. (§ 11.10(k)(2), 21 CFR Part 11, Electronic Records; Electronic Signatures)
  • The organization must ensure the system generates and retains all records of any changes to the system. (§ 5.6.5, Exhibit 4 CM-5, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • The organization must update the audit review level, analysis level, and reporting level when a change in risk occurs. (SG.AU-6 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should update the system component inventory after installations, removals, and system updates. (SG.CM-8 Requirement 4, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should update the system component inventory during component installations and system updates. (SG.CM-8 Additional Considerations A1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must retain and review the records of changes. (App F § CM-3.d, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should use automated mechanisms to document completed changes to Information Systems. (App F § CM-3(1)(e), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must update the security plan whenever changes to the system or environment are made or problems are identified during plan implementation or security control assessments. (App F § PL-2.c, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)