Back

Approve and authorize the newly implemented system.


CONTROL ID
06274
CONTROL TYPE
Systems Design, Build, and Implementation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Initiate the System Development Life Cycle implementation phase., CC ID: 06268

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • In addition, in order to smoothly make the transition to production operation, it is necessary to turn over the work to the operation department (persons in charge of operations), and give a sufficient explanation to the department and users, and confirm the readiness of transition. (P77.1. ¶ 2, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • There needs to be a documented Migration Policy indicating the requirement of roadmap / migration plan / methodology for data migration (which includes verification of completeness, consistency and integrity of the migration activity and pre and post migration activities along with responsibilities … (Critical components of information security 12) (i), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • System owners obtain authorisation to operate each system from its authorising officer based on the acceptance of the security risks associated with its operation. (Control: ISM-0027; Revision: 4, Australian Government Information Security Manual, June 2023)
  • System owners obtain authorisation to operate each system from its authorising officer based on the acceptance of the security risks associated with its operation. (Control: ISM-0027; Revision: 4, Australian Government Information Security Manual, September 2023)
  • Ensure that business process owners and IT stakeholders evaluate the outcome of the testing process as determined by the test plan. Remediate significant errors identified in the testing process, having completed the suite of tests identified in the test plan and any necessary regression tests. Foll… (AI7.7 Final Acceptance Test, CobiT, Version 4.1)
  • The medical information technology network risk manager shall examine the summaries of all residual risk to determine the acceptability of risk associated with current or future changes or projects. (§ 4.5.3 ¶ 2, Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • The medical information technology network risk manager shall approve changes to the medical Information Technology network before it goes live. (§ 4.5.3 ¶ 3, Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • The organization shall activate the system after installation. (§ 6.4.7.3(b)(4), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The organization shall activate the system. (§ 6.4.9.3(b)(1), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • Ensures that the authorizing official authorizes the information system for processing before commencing operations; and (CA-6b., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Ensures that the authorizing official authorizes the information system for processing before commencing operations; and (CA-6b., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Ensures that the authorizing official authorizes the information system for processing before commencing operations; and (CA-6b., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Ensures that the authorizing official authorizes the information system for processing before commencing operations; and (CA-6b., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The security program, in relation to protecting personal information, should include procedures for authorizing system components before implementation. (Table Ref 8.2.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • Does the documented Change Management/Change Control Process include management approval prior to deployment? (§ I.2.22.2, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • Inventory process for systems and information assets residing in the cloud computing environment. An effective inventory process for the use of cloud computing environments is an essential component for secure configuration management, vulnerability management, and monitoring of controls. Processes … (Risk Management Cloud Security Management Bullet 3, FFIEC Security in a Cloud Computing Environment)
  • Ensures that the authorizing official authorizes the information system for processing before commencing operations; and (CA-6b. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Ensures that the authorizing official authorizes the information system for processing before commencing operations; and (CA-6b. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Ensures that the authorizing official authorizes the information system for processing before commencing operations; and (CA-6b. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Authorizes the system to operate; (CA-6c.2., FedRAMP Security Controls High Baseline, Version 5)
  • Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems; (CA-6d., FedRAMP Security Controls High Baseline, Version 5)
  • Authorizes the system to operate; (CA-6c.2., FedRAMP Security Controls Low Baseline, Version 5)
  • Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems; (CA-6d., FedRAMP Security Controls Low Baseline, Version 5)
  • Authorizes the system to operate; (CA-6c.2., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems; (CA-6d., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Authorizes the system to operate; (CA-6c.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems; (CA-6d., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems; (CA-6d., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Authorizes the system to operate; (CA-6c.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems; (CA-6d., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Authorizes the system to operate; (CA-6c.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems; (CA-6d., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Authorizes the system to operate; (CA-6c.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Authorizes the system to operate; (CA-6c.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems; (CA-6d., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Authorizes the system to operate; (CA-6c.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems; (CA-6d., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Authorizes the system to operate; (CA-6c.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems; (CA-6d., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Authorizes the system to operate; (CA-6c.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems; (CA-6d., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Ensures that the authorizing official authorizes the information system for processing before commencing operations; and (CA-6b. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Ensures that the authorizing official authorizes the information system for processing before commencing operations; and (CA-6b. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Ensures that the authorizing official authorizes the information system for processing before commencing operations; and (CA-6b. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Provide recommendations on new database technologies and architectures. (T0210, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Supports incident management, service-level management, change management, release management, continuity management, and availability management for databases and data management systems. (T0306, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization must authorize the system for processing before it becomes operational. (SG.CA-5 Requirement 1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must ensure the Information System is authorized for processing before commencing operations. (App F § CA-6.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Provide recommendations on new database technologies and architectures. (T0210, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Ensure that security improvement actions are evaluated, validated, and implemented as required. (T0089, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Supports incident management, service-level management, change management, release management, continuity management, and availability management for databases and data management systems. (T0306, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization ensures that the authorizing official authorizes the information system for processing before commencing operations. (CA-6b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization ensures that the authorizing official authorizes the information system for processing before commencing operations. (CA-6b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization ensures that the authorizing official authorizes the information system for processing before commencing operations. (CA-6b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization ensures that the authorizing official authorizes the information system for processing before commencing operations. (CA-6b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Ensures that the authorizing official authorizes the information system for processing before commencing operations; and (CA-6b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Ensures that the authorizing official authorizes the information system for processing before commencing operations; and (CA-6b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Ensures that the authorizing official authorizes the information system for processing before commencing operations; and (CA-6b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Ensures that the authorizing official authorizes the information system for processing before commencing operations; and (CA-6b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Authorizes the system to operate; (CA-6c.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems; (CA-6d., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Employ a joint authorization process for the system that includes multiple authorizing officials with at least one authorizing official from an organization external to the organization conducting the authorization. (CA-6(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Authorizes the system to operate; (CA-6c.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems; (CA-6d., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Employ a joint authorization process for the system that includes multiple authorizing officials with at least one authorizing official from an organization external to the organization conducting the authorization. (CA-6(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Authorize the Information System: The security authorization decision is a risk-based decision that depends heavily, but not exclusively, on the security testing and evaluation results produced during the security control verification process. An authorizing official relies primarily on: (i) the com… (§ 3.3.3.4, Security Considerations in the Information System Development Life Cycle, NIST SP 800-64, Revision 2)
  • Ensures that the authorizing official authorizes the information system for processing before commencing operations; and (CA-6b., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Ensures that the authorizing official authorizes the information system for processing before commencing operations; and (CA-6b., TX-RAMP Security Controls Baseline Level 1)
  • Ensures that the authorizing official authorizes the information system for processing before commencing operations; and (CA-6b., TX-RAMP Security Controls Baseline Level 2)