Back

Establish, implement, and maintain a software release policy.


CONTROL ID
00893
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a change control program., CC ID: 00886

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain traceability documentation., CC ID: 16388
  • Disseminate and communicate software update information to users and regulators., CC ID: 06602
  • Allow interested personnel and affected parties to opt out of specific version releases and software updates., CC ID: 06809


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Before the organization implements a software package, it must verify suitability via the user requirements with respect to functions and effects. This is an IT general control. (App 2-1 Item Number II.2(8), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • The framework should comprise the governance structure, processes and procedures for change management, software release management, incident and problem management as well as capacity management. (§ 7.0.2, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The procedures for approving changes and releasing changes to the system configuration or the System Software should be included in the Standard Operating Procedures for the information technology security officer. (Control: 0790 Table Row "Configuration control", Australian Government Information Security Manual: Controls)
  • When changes are made to software or hardware, all users should be educated about the changes and how they affect the software or hardware. (§ 2.8.10, Australian Government ICT Security Manual (ACSI 33))
  • Appropriate processes shall be defined for application development which contain specifications for identifying requirements, for the development objective, for (technical) implementation (including coding guidelines), for quality assurance, and for testing, approval and release. (II.6.36, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • A release schedule should be created to achieve patch production systems objectives and an attempt should be made to bundle the patches instead of applying individual patches to individual systems. (§ 4.5 ¶ 4, IIA Global Technology Audit Guide (GTAG) 2:Change and Patch Management Controls: Critical for Organizational Success)
  • The organization should only deploy software that has a signed software identification tag. (Critical Control 2.10, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The service provider shall establish a release policy that states the frequency and types of releases. (§ 9.3 ¶ 1, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • § 5.8: The medical device maufacturer shall release software systems in accordance with sections 5.8.1 thru 5.8.8. § 5.8.1: For software systems assigned to Class B and Class C software safety classes, the medical device manufacturer shall ensure all software has been verified and the results are… (§ 5.8, § 6.3.2, ISO 62304 - 2006 Medical device software - Software life cycle processes, 2006)
  • A management-defined change control process is used for the implementation of software. (CC6.8 ¶ 2 Bullet 3 Uses a Defined Change Control Process, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • A management-defined change control process is used for the implementation of software. (CC6.8 Uses a Defined Change Control Process, Trust Services Criteria)
  • A management-defined change control process is used for the implementation of software. (CC6.8 ¶ 2 Bullet 3 Uses a Defined Change Control Process, Trust Services Criteria, (includes March 2020 updates))
  • Does the documented Change Management/Change Control Process include requirements for the transfer of software from development to production? (§ I.2.22.5, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • For cloud computing services, is the release frequency for newly created applications on an ad-hoc basis? (§ V.1.29.1, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • For cloud computing services, is the release frequency for newly created applications on a daily basis? (§ V.1.29.2, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • For cloud computing services, is the release frequency for newly created applications on a weekly basis? (§ V.1.29.3, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • For cloud computing services, is the release frequency for newly created applications on a biweekly basis? (§ V.1.29.4, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • For cloud computing services, is the release frequency for newly created applications on a monthly basis? (§ V.1.29.5, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • For cloud computing services, is the release frequency for newly created applications more than 3 months? (§ V.1.29.6, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • For cloud computing services, is the release frequency for newly created applications more than 6 months? (§ V.1.29.7, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • For cloud computing services, is the release frequency for newly created applications another time period? (§ V.1.29.8, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • CSR 3.4.2: An independent library control group must migrate tested and approved system software to production use. CSR 6.5.1: The organization must implement standardized procedures for distributing new software. CSR 6.5.2: The organization must document and review the implementation and distributi… (CSR 3.4.2, CSR 6.5.1, CSR 6.5.2, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Exam Obj 7.1 Evaluate the sufficiency of, and adherence to, maintenance standards and controls relating to: ▪ Change request and approval procedures; ▪ Change testing procedures; ▪ Change implementation procedures; ▪ Change review procedures; ▪ Change documentation procedures; ▪ Change n… (Exam Obj 7.1, Exam Obj 10.1, FFIEC IT Examination Handbook - Development and Acquisition)
  • The organization should record the version number of the installed software to ensure the most current version is installed. (Pg 26, FFIEC IT Examination Handbook - Operations, July 2004)
  • The organization should prevent the installation of critical software not signed with a recognized and approved certificate. (App F § CM-5(3), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)