Back

Establish, implement, and maintain approved change acceptance testing procedures.


CONTROL ID
06391
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a change control program., CC ID: 00886

This Control has the following implementation support Control(s):
  • Test the system's operational functionality after implementing approved changes., CC ID: 06294
  • Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred., CC ID: 04541
  • Establish, implement, and maintain a change acceptance testing log., CC ID: 06392


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • The organization shall establish procedures for testing and verification. It should check results for validity and consistency. The procedures for checking changes should be documented in the form of an instruction manual. (T14.1(3), FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • The FI should adequately test the impending change and ensure that it is accepted by users prior to the migration of the changed modules to the production system. The FI should develop and document appropriate test plans for the impending change. The FI should obtain test results with user sign-offs… (§ 7.1.4, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • Prior to deploying changes to the production environment, the FI should perform a risk and impact analysis of the change request in relation to existing infrastructure, network, up-stream and downstream systems. The FI should also determine if the introduced change would spawn security implications … (§ 7.1.3, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The FI should ensure all changes are adequately tested in the test environment. Test plans for changes should be developed and approved by the relevant business and IT management. Test results should be accepted and signed off before the changes are deployed to the production environment. (§ 7.5.3, Technology Risk Management Guidelines, January 2021)
  • A method of emergency access to systems is documented and tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur. (Security Control: 1610; Revision: 0, Australian Government Information Security Manual)
  • The Change Management process should include testing and implementing the approved changes. (Control: 0912 Bullet 6, Australian Government Information Security Manual: Controls)
  • IT security review points at all stages of the change life-cycle to ensure that security controls are identified, designed, constructed and tested so that the level of security continues to meet business objectives. The level of review would typically be commensurate with the risk associated with th… (Attachment A ¶ 2(c), The AD_offical_Name should be: APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • changes scheduled and reviewed to ensure that multiple changes made at the same time do not conflict with each other; (Attachment A ¶ 2(g), The AD_offical_Name should be: APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • All changes to the cloud service are subjected to tests (e. g. for integration, regression, security and user acceptance) during the development and before they are made available to the production environment. The tests are carried out by adequately qualified personnel of the cloud provider. Accord… (Section 5.11 BEI-07 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Unscheduled reviews after essential changes to the requirements or environment. The essentiality must be assessed by the cloud provider and documented comprehensibly for audits (Section 5.12 DLL-02 Basic requirement ¶ 1 Bullet 3, Cloud Computing Compliance Controls Catalogue (C5))
  • Before a change is released to the production environment, it must be reviewed by an authorised body or a corresponding committee whether the planned tests have been completed successfully and the required approvals are granted. (Section 5.11 BEI-09 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Test scripts should be used to verify the software changes in response to a change request. (¶ 18.6, Good Practices For Computerized systems In Regulated GXP Environments)
  • Establish a tracking and reporting system to document rejected changes, communicate the status of approved and in-process changes, and complete changes. Make certain that approved changes are implemented as planned. (AI6.4 Change Status Tracking and Reporting, CobiT, Version 4.1)
  • Inspect and correlate the vulnerability scan reports and the change control documentation to verify that system components that were affected by a significant change had a vulnerability scan run on them after the change. (Testing Procedures § 11.2.3.a, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Establish change management baselines for all relevant authorized changes on organization assets. (CCC-06, Cloud Controls Matrix, v4.0)
  • The planning for new or changed services shall include or contain a reference to the required testing for the new or changed services. (§ 5.2 ¶ 3(h), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • Approved changes shall be developed and tested. (§ 9.2 ¶ 9, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The service provider shall review changes for effectiveness and take actions that have been agreed upon with interested parties. (§ 9.2 ¶ 13, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • For those methods identified in Part 3.1 that use signatures or patterns, have a process for the update of the signatures or patterns. The process must address testing and installing the signatures or patterns. (CIP-007-6 Table R3 Part 3.3 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - System Security Management CIP-007-6, Version 6)
  • As with FedRAMP, DoD requires a security assessment be performed by a 3PAO after a significant change is implemented, with a corresponding Security Assessment Report created. CSPs must also include all FedRAMP+ C/CEs in post-change assessments to meet DoD requirements. DISA will notify affected Miss… (Section 5.3.2.1 ¶ 5, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • A software validation analysis should be conducted to validate changes and to determine the extent and impact of the change on the entire system software, whenever the software is changed. (§ 4.7, General Principles of Software Validation; Final Guidance for Industry and FDA Staff, Version 2.0)
  • The software developer should conduct regression testing to show that unchanged, but vulnerable, parts of the system have not been adversely affected due to changes in the software. (§ 4.7, General Principles of Software Validation; Final Guidance for Industry and FDA Staff, Version 2.0)
  • The validation effort that is needed for each change is determined by the type of change, the development products affected, and the impact on the operation of the system. (§ 5.2.7 ¶ 4, General Principles of Software Validation; Final Guidance for Industry and FDA Staff, Version 2.0)
  • The software validation plan should be updated to support the validation of the revised software. (§ 5.2.7 ¶ 5 Bullet 1, General Principles of Software Validation; Final Guidance for Industry and FDA Staff, Version 2.0)
  • All necessary verification and validation tasks should be conducted to ensure planned changes are implemented correctly, documentation is up-to-date and complete, and unacceptable changes have not occurred. (§ 5.2.7 ¶ 5 Bullet 5, General Principles of Software Validation; Final Guidance for Industry and FDA Staff, Version 2.0)
  • Testing, which documents that the change performs as intended, identifies flaws, and verifies that the change integrates with other systems. (App A Objective 6:4e, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Performs necessary tests of all changes to the environment (e.g., systems testing, integration testing, functional testing, user acceptance testing, and security testing). (App A Objective 6.11.g, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • The independence of the quality assurance function and the adequacy of controls over program changes including the: - parity of source and object programming code, - independent review of program changes, - comprehensive review of testing results, - management's approval before migration into produc… (TIER II OBJECTIVES AND PROCEDURES B.1 Bullet 6, FFIEC IT Examination Handbook - Audit, April 2012)