Back

Approve each system's Configurable Items (and changes to those Configurable Items).


CONTROL ID
04887
CONTROL TYPE
Technical Security
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Identify and document the system's Configurable Items., CC ID: 02133

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The organization must not use a wireless network, unless the deployment has been approved by the Defence Signals Directorate. (Control: 0538, Australian Government Information Security Manual: Controls)
  • System images must be approved by the organizational Change Control Board. (Critical Control 3.2, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The organization shall notify the medical device manufacturer and follow regulatory steps for putting the medical device in service, when changes are made absent the consent of the medical device manufacturer. (§ 4.4.4.3 ¶ 3, Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • Department of Defense Information Systems must be under the control of a Configuration Control Board that meets regularly. (DCCB-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Department of Defense Information Systems must be under the control of a Configuration Control Board that meets regularly. (DCCB-2, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Maintains standard images of the entity's servers and stores them securely. Uses clean (i.e., trusted) images to restore the server if a server needs to be rebuilt and documents, reviews, and approves deviations from the standard image. (App A Objective 13:3g, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • The organization monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. (CM-6d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. (CM-6d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. (CM-6d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. (CM-6d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)