Back

Implement changes according to the change control program.


CONTROL ID
11776
CONTROL TYPE
Business Processes
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a change control program., CC ID: 00886

This Control has the following implementation support Control(s):
  • Provide audit trails for all approved changes., CC ID: 13120


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Emergency changes should be logged and backed up (including the previous and changed program versions and data) so that recovery of previous program versions and data files is possible if necessary. Emergency changes need to be reviewed by independent personnel to ensure that the changes are proper … (4.3.3, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • Change management issues must be tracked from the proposals to completion to ensure the changes are being made when necessary. Unresolved matters must be analyzed periodically. This is a control item that constitutes a greater risk to financial information. This is an IT general control. (App 2-1 Item Number VI.6.1(3), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • Ensuring that the Change Management process is followed for any changes in application (Critical components of information security 11) c.2. Bullet 8, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Any changes to an application system/data need to be justified by genuine business need and approvals supported by documentation and subjected to a robust change management process. The change management would involve generating a request, risk assessment, authorization from an appropriate authority… (Critical components of information security 11) c.12., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The change management process should be documented, and include approving and testing changes to ensure that they do not compromise security controls, performing changes and signing them off to ensure they are made correctly and securely, reviewing completed changes to ensure that no unauthorised ch… (Critical components of information security 20) ii., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Making changes only through well-administered change control procedures. (Critical components of information security 24) vii. a) ¶ 13 Bullet 10, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • implementation and testing of approved changes (Security Control: 1211; Revision: 3; Bullet 5, Australian Government Information Security Manual)
  • The organization must document and assess all changes to the gateway architecture in accordance with the Change Management process. (Control: 0625, Australian Government Information Security Manual: Controls)
  • intentionally introduced information security vulnerabilities are authorised. In APRA's view, changes that knowingly introduce security vulnerabilities would be minimised and, where possible, compensating controls implemented. This situation normally arises when dealing with system outages. (47(g)., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • implementation plans that include, as appropriate, a back-out/fall-back strategy that provides reasonable assurance that a failed deployment can be reversed or otherwise managed. (Attachment A ¶ 2(i), The AD_offical_Name should be: APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Furthermore, on an ongoing basis, financial institutions should determine whether changes in the existing operational environment influence the existing security measures or require adoption of additional measures to mitigate related risks appropriately. These changes should be part of the financial… (3.4.4 37, Final Report EBA Guidelines on ICT and security risk management)
  • change management requirements. (3.6.1 63(f), Final Report EBA Guidelines on ICT and security risk management)
  • Financial institutions should determine whether changes in the existing operational environment influence the existing security measures or require the adoption of additional measures to mitigate the risks involved. These changes should be in accordance with the financial institutions' formal change… (3.6.3 76, Final Report EBA Guidelines on ICT and security risk management)
  • Complying with the security targets in case of new developments and procurement of information systems as well as changes. (Section 5.11 Objective, Cloud Computing Compliance Controls Catalogue (C5))
  • Emergency changes are to be classified as such by the change manager who creates the change documentation before applying the change to the production environment. Afterwards (e. g. within 5 working days), the change manager supplements the change documentation with a justification and the result of… (Section 5.11 BEI-10 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • When changes are planned, are they carried out in a controlled way and actions taken to mitigate any adverse effects? (Operation ¶ 4, ISO 22301: Self-assessment questionnaire)
  • Is there a plan for the determining the need for changes to the BCMS and managing their implementation? (Operation ¶ 3, ISO 22301: Self-assessment questionnaire)
  • Is there a plan for the determining the need for changes to the ISMS and managing their implementation? (Operation ¶ 2, ISO 22301: Self-assessment questionnaire)
  • Change requests for IT systems shall be accepted, documented, evaluated taking due account of potential implementation risks, prioritised and approved in an orderly way, and implemented in a coordinated and secure way. (II.7.49, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • After the application goes live, any deviations from standard operations shall be monitored, their causes shall be investigated and, where appropriate, measures for subsequent improvement shall be taken. (II.6.42, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • The quality systems procedures should ensure all changes are documented and closed out when the actions have been completed. (¶ 18.4, Good Practices For Computerized systems In Regulated GXP Environments)
  • Assess all requests for change in a structured way to determine the impact on the operational system and its functionality. Ensure that changes are categorised, prioritised and authorised. (AI6.2 Impact Assessment, Prioritisation and Authorisation, CobiT, Version 4.1)
  • Develop a strategy and plan for infrastructure maintenance, and ensure that changes are controlled in line with the organisation's change management procedure. Include periodic reviews against business needs, patch management, upgrade strategies, risks, vulnerabilities assessment and security requir… (AI3.3 Infrastructure Maintenance, CobiT, Version 4.1)
  • Change control processes and procedures must be followed for all changes to system components. (PCI DSS Requirements § 6.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Follow change control processes and procedures for all changes to system components. The processes must include the following: (6.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Follow change control processes and procedures for all changes to system components. The processes must include the following: (6.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Follow change control processes and procedures for all changes to system components. The processes must include the following: (6.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Are change control processes and procedures followed for all changes to system components to include the following: (6.4, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are change control processes and procedures followed for all changes to system components to include the following: (6.4, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Examine policies and procedures to verify the following are defined: - Development/test environments are separate from production environments with access control in place to enforce separation. - A separation of duties between personnel assigned to the development/test environments and those assign… (6.4, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Changes to all system components in the production environment are made according to established procedures that include: (6.5.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine recent changes to system components and trace those changes back to related change control documentation. For each change examined, verify the change is implemented in accordance with all elements specified in this requirement. (6.5.1.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Changes to all system components in the production environment are made according to established procedures that include: (6.5.1, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Changes to all system components in the production environment are made according to established procedures that include: (6.5.1, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Changes to all system components in the production environment are made according to established procedures that include: (6.5.1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Changes to all system components in the production environment are made according to established procedures that include: (6.5.1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Almost every business decision requires some change in IT, and the following factors are sources of change that must be addressed and managed: external environment; regulatory environment; vendors; partners and suppliers; operational problems; business objectives, strategies, goals, processes, requi… (§ 4.1.1, § 4.1.2, § 7 ¶ 2, IIA Global Technology Audit Guide (GTAG) 2:Change and Patch Management Controls: Critical for Organizational Success)
  • Emergency fixes should be approved by an appropriate business representative, logged, and carried out in accordance with standards / procedures. (CF.11.03.05, The Standard of Good Practice for Information Security)
  • Emergency fixes should be approved by an appropriate business representative, logged, and carried out in accordance with standards / procedures. (CF.11.03.05, The Standard of Good Practice for Information Security, 2013)
  • Store the master images on securely configured servers, validated with integrity checking tools capable of continuous inspection, and change management to ensure that only authorized changes to the images are possible. Alternatively, these master images can be stored in offline machines, air-gapped … (Control 3.3, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • Establish a standard change management procedure, to accommodate changes from internal and external sources, for review, approval, implementation and communication of cryptographic, encryption and key management technology changes. (CEK-05, Cloud Controls Matrix, v4.0)
  • Store the master images and templates on securely configured servers, validated with integrity monitoring tools, to ensure that only authorized changes to the images are possible. (CIS Control 5: Sub-Control 5.3 Securely Store Master Images, CIS Controls, 7.1)
  • Store the master images and templates on securely configured servers, validated with integrity monitoring tools, to ensure that only authorized changes to the images are possible. (CIS Control 5: Sub-Control 5.3 Securely Store Master Images, CIS Controls, V7)
  • The medical information technology network risk manager shall use the Risk Management results to determine if changes are approved and accepted during the Change Management process. (§ 4.5.1 ¶ 3, Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • The organization may define routine changes, along with the constraints, that may be performed with acceptable risk. (§ 4.5.2.2 ¶ 1, Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. (§ 8.1 ¶ 2, ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • Change control records should be examined to ensure change logs are being maintained. A sample of changes from the log should be examined to ensure that the procedures from the configuration management plan are being followed. Interviews should be conducted with personnel involved in the change proc… (§ 12.4.1.3.11, § 12.4.1.3.13, § 13.4.2.3.12, § 13.4.2.3.14, ISO 18045 Common Methodology for Information Technology Security Evaluation Part 3, 2005)
  • The organization should control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. (§ 8.1 ¶ 2, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • The organization should ensure that the change management process and procedures: • have a clearly defined and documented scope • provide business benefits • are scheduled based upon priority and risk • that changes are verified • the time to implement is monitored • and well documented. (§ 9.2.1, ISO 20000-2 Information technology - Service Management Part 2, 2005)
  • The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. (§ 8.1 ¶ 2, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • When the organization determines the need for changes to the BCMS, including those identified in Clause 10, the changes shall be carried out in a planned manner. (§ 6.3 ¶ 1, ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. (§ 8.1 ¶ 2, ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. (§ 8.1 ¶ 3, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. (§ 8.1 ¶ 3, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. (8.1 ¶ 3, ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • When the organization determines the need for changes to the quality management system, the changes shall be carried out in a planned manner (see 4.4). (6.3 ¶ 1, ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • evaluate theses processes and implement any changes needed to ensure that these processes achieve their intended results; (4.4.1 ¶ 2(g), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary (§ 8.1 ¶ 2, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary (Section 8.2 ¶ 3, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • make changes (see 8.2) to the IT asset management system, if necessary (Section 10.1 ¶ 1(e), ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • The organization shall control planned changes to the SMS and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary (see 8.5.1). (§ 8.1¶ 2, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • Records of problems shall be updated with actions taken. Changes needed for problem resolution shall be managed according to the change management policy. (§ 8.6.3 ¶ 3, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • categories of change, including emergency change, and how they are to be managed; (§ 8.5.1.1 ¶ 1(b), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • categories of change that are to be managed by service design and transition according to the change management policy; (§ 8.5.1.2 ¶ 2(c), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • Changes to information processing facilities and information systems should be subject to change management procedures. (§ 8.32 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • implement changes according to the plan; (§ 8.1 Guidance ¶ 2(j), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • plan their implementation and assign tasks, responsibilities, deadlines and resources; (§ 8.1 Guidance ¶ 2(i), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • Implements approved configuration-controlled changes to the information system; (CM-3d., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Implements approved configuration-controlled changes to the information system; (CM-3d., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Implement only organization-approved changes to the system, component, or service; (SA-10c., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Implements approved configuration-controlled changes to the information system; (CM-3d., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Implement only organization-approved changes to the system, component, or service; (SA-10c., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Changes in infrastructure, data, software, and procedures required to remediate incidents to continue to meet objectives are identified, and the change process is initiated upon identification. (CC8.1 Identifies Changes in Infrastructure, Data, Software, and Procedures Required to Remediate Incidents, Trust Services Criteria)
  • The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. (CC8.1, Trust Services Criteria)
  • A process is in place to implement system changes. (CC8.1 Deploys System Changes, Trust Services Criteria)
  • A process is in place to implement system changes. (CC8.1 ¶ 2 Bullet 9 Deploys System Changes, Trust Services Criteria, (includes March 2020 updates))
  • The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. (CC8.1 ¶ 1, Trust Services Criteria, (includes March 2020 updates))
  • Changes in infrastructure, data, software, and procedures required to remediate incidents to continue to meet objectives are identified and the change process is initiated upon identification. (CC8.1 ¶ 2 Bullet 11 Identifies Changes in Infrastructure, Data, Software, and Procedures Required to Remediate Incidents, Trust Services Criteria, (includes March 2020 updates))
  • Changes to system components are authorized, designed, developed, configured, documented, tested, approved, and implemented to meet the entity’s [insert the principle(s) addressed by the engagement: security, availability, processing integrity, confidentiality, or privacy, or any combination there… (CC7.4, TSP 100A - Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy)
  • Change management processes are initiated when deficiencies in the design or operating effectiveness of controls are identified during system operation and are monitored to meet the entity’s commitments and system requirements as they relate to [insert the principle(s) addressed by the engagement:… (CC7.3, TSP 100A - Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy)
  • As with FedRAMP, CSPs must give DoD 30-day notice prior to significant changes. If a change is made without approval that affects the risk posture of the system, the DISA AO can revoke the DoD PA. As with continuous monitoring, the change control process will differ for CSPs depending on if they are… (Section 5.3.2 ¶ 3, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Standard: Policies and procedures. Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in §164.306(b)(2)(i), (ii), (iii), and (iv). This standard … (§ 164.316(a), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Revisions to the notice. The covered entity must promptly revise and distribute its notice whenever there is a material change to the uses or disclosures, the individual's rights, the covered entity's legal duties, or other privacy practices stated in the notice. Except when required by law, a mater… (§ 164.520(b)(3), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Such change meets the implementation specifications in paragraphs (i)(4)(i)(A)-(C) of this section; and (§ 164.530(i)(4)(ii)(A), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Revise the notice as required by §164.520(b)(3) to state the changed practice and make the revised notice available as required by §164.520(c). The covered entity may not implement a change to a policy or procedure prior to the effective date of the revised notice. (§ 164.530(i)(4)(i)(C), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Verify that BCM activities align with the entity's change management process. (App A Objective 6:8, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Implementation of changes with the goal of preserving confidentiality, integrity, and availability. (App A Objective 6:3f, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Implementation that includes a formal process to deploy the change. (App A Objective 6:4f, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Depending on the complexity of the change, determine the adequacy of the processes to manage the change. Verify that changes to any IT system or service are supported by an orderly, adaptable, documented, and measurable process. (App A Objective 6:2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Review and evaluate the entity's change management process to implement changes that preserve systems' security and are based on the change type (e.g., planned, routine, and emergency). Determine whether management follows pre-defined processes, such as the following: (App A Objective 6:4, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Defines change requirements. (App A Objective 6.11.b, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Updating audit procedures, software, and documentation for changes in the systems or environment; and (TIER I OBJECTIVES AND PROCEDURES Objective 10:3. Bullet 3, FFIEC IT Examination Handbook - Audit, April 2012)
  • The organization should establish procedures for controlling changes to the product. All routine changes should include a change request, review of the change, and approval of the change. (Pg 31, Pg 52, Exam Obj 7.1, Exam Obj 10.1, FFIEC IT Examination Handbook - Development and Acquisition)
  • Implements approved configuration-controlled changes to the information system; (CM-3d. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Implement only organization-approved changes to the system, component, or service; (SA-10c. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Implements approved configuration-controlled changes to the information system; (CM-3d. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Implement only organization-approved changes to the system, component, or service; (SA-10c. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Implement approved configuration-controlled changes to the system; (CM-3d., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Implement only organization-approved changes to the system, component, or service; (SA-10c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Implement approved configuration-controlled changes to the system; (CM-3d., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Implement only organization-approved changes to the system, component, or service; (SA-10c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Monitor changes in processing personally identifiable information and implement [Assignment: organization-defined mechanisms] to ensure that any changes are made in accordance with [Assignment: organization-defined requirements]. (PT-3d., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Implement approved configuration-controlled changes to the system; (CM-3d., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Implement approved configuration-controlled changes to the system; (CM-3d., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Implement only organization-approved changes to the system, component, or service; (SA-10c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Implement approved configuration-controlled changes to the system; (CM-3d., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Implement only organization-approved changes to the system, component, or service; (SA-10c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Configuration change control processes are in place. (PR.IP-3, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0)
  • Organizations should plan to replace emergency mitigations with permanent fixes. Once a permanent fix, such as a patch, is available, the patch will need to be deployed and the mitigation removed. Schedules should be set and enforced for both patch deployment and mitigation removal. (3.5.3 ¶ 2, Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology, NIST SP 800-40, Revision 4)
  • Implements approved configuration-controlled changes to the information system; (CM-3d. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Implements approved configuration-controlled changes to the information system; (CM-3d. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Implement only organization-approved changes to the system, component, or service; (SA-10c. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Implement only organization-approved changes to the system, component, or service; (SA-10c. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Once the decision is made to deploy a patch, there are other tools that automate this process from a centralized server and with confirmation that the patch has been deployed correctly. Consider separating the automated process for ICS patch management from the automated process for non-ICS applicat… (§ 6.2.17.3 ICS-specific Recommendations and Guidance ¶ 2, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization should enforce a 2-person rule for changes to organization-defined system components and system-level information. (App F § CM-5(4), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should use nonautomated mechanisms or procedures as compensating controls in accordance with the general tailoring guidance when the Industrial Control System cannot support automated mechanisms for implementing configuration change control. (App I § CM-3 Control Enhancement: (1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization implements approved configuration-controlled changes to the information system. (CM-3d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization coordinates and provides oversight for configuration change control activities through {organizationally documented configuration change control element (e.g., committee, board)} that convenes {organizationally documented frequency}. (CM-3g., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization enforces dual authorization for implementing changes to {organizationally documented information system components}. (CM-5(4), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization implements approved configuration-controlled changes to the information system. (CM-3d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization coordinates and provides oversight for configuration change control activities through {organizationally documented configuration change control element (e.g., committee, board)} that convenes {organizationally documented configuration change conditions}. (CM-3g., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization implements approved configuration-controlled changes to the information system. (CM-3d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization coordinates and provides oversight for configuration change control activities through {organizationally documented configuration change control element (e.g., committee, board)} that convenes {organizationally documented frequency}. (CM-3g., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Implements approved configuration-controlled changes to the information system; (CM-3d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Implement only organization-approved changes to the system, component, or service; (SA-10c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Implements approved configuration-controlled changes to the information system; (CM-3d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Implement only organization-approved changes to the system, component, or service; (SA-10c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Implement only organization-approved changes to the system, component, or service; (SA-10c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Implements approved configuration-controlled changes to the information system; (CM-3d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization enforces dual authorization for implementing changes to [Assignment: organization-defined information system components and system-level information]. (CM-5(4) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Monitor changes in processing personally identifiable information and implement [Assignment: organization-defined mechanisms] to ensure that any changes are made in accordance with [Assignment: organization-defined requirements]. (PT-3d., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Implement approved configuration-controlled changes to the system; (CM-3d., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Enforce dual authorization for implementing changes to [Assignment: organization-defined system components and system-level information]. (CM-5(4) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Implement only organization-approved changes to the system, component, or service; (SA-10c., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Implements approved configuration-controlled changes to the information system; (CM-3d., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Implement only organization-approved changes to the system, component, or service; (SA-10c., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Procedures designed to ensure that customer information system modifications are consistent with the national bank's or Federal savings association's information security program; (§ III. C. 1.(d), Appendix B of OCC 12 CFR Part 30, Safety and Soundness Standards)
  • Implements approved configuration-controlled changes to the information system; (CM-3d., TX-RAMP Security Controls Baseline Level 2)
  • Implement only organization-approved changes to the system, component, or service; (SA-10c., TX-RAMP Security Controls Baseline Level 2)