Back

Mitigate the adverse effects of unauthorized changes.


CONTROL ID
12244
CONTROL TYPE
Business Processes
CLASSIFICATION
Corrective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a change control program., CC ID: 00886

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • A documented strategy to respond to anticipated changes in cryptographic vulnerabilities. (12.3.3 Bullet 3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • A documented strategy to respond to anticipated changes in cryptographic vulnerabilities. (12.3.3 Bullet 3, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • A documented strategy to respond to anticipated changes in cryptographic vulnerabilities. (12.3.3 Bullet 3, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. (§ 8.1 ¶ 2, ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • When determining necessary controls, or considering changes to existing controls, consideration should be given to risks and opportunities that need to be addressed, and to any unintended consequences that can result. The organization should control planned changes and review the consequences of uni… (8.1.1 ¶ 2, ISO 14004:2016, Environmental management systems — General guidelines on implementation, Third Edition)
  • The organization should control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. (§ 8.1 ¶ 2, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. (§ 8.1 ¶ 2, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. (§ 8.1 ¶ 2, ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. (§ 8.1 ¶ 3, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. (§ 8.1 ¶ 3, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • The organization shall review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. (§ 8.1.3 ¶ 2, ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. (8.1 ¶ 3, ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary (§ 8.1 ¶ 2, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary (Section 8.2 ¶ 3, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • The organization shall control planned changes to the SMS and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary (see 8.5.1). (§ 8.1¶ 2, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. (§ 8.1 ¶ 3, ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • determine whether any adverse effects have already occurred or can occur in the future; (§ 8.1 Guidance ¶ 3(n), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • plan and implement actions to mitigate any adverse effects as necessary; and (§ 8.1 Guidance ¶ 3(o), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • collect and retain documented information on unintended changes and actions taken to mitigate adverse effects. (§ 8.1 Guidance ¶ 3(p), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • The organization employs [Assignment: organization-defined security safeguards] to respond to unauthorized changes to [Assignment: organization-defined configuration settings]. (CM-6(2) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Monitor at least once every 35 calendar days for changes to the baseline configuration (as described in Requirement R1, Part 1.1). Document and investigate detected unauthorized changes. (CIP-010-4 Table R2 Part 2.1 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability Assessments CIP-010-4, Version 4)
  • Monitor at least once every 35 calendar days for changes to the baseline configuration (as described in Requirement R1, Part 1.1). Document and investigate detected unauthorized changes. (CIP-010-2 Table R2 Part 2.1 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-2, Version 2)
  • Monitor at least once every 35 calendar days for changes to the baseline configuration (as described in Requirement R1, Part 1.1). Document and investigate detected unauthorized changes. (CIP-010-3 Table R2 Part 2.1 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-3, Version 3)
  • The organization employs [Assignment: organization-defined security safeguards] to respond to unauthorized changes to [Assignment: organization-defined configuration settings]. (CM-6(2) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Take the following actions in response to unauthorized changes to [Assignment: organization-defined configuration settings]: [Assignment: organization-defined actions]. (CM-6(2) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • Take the following actions in response to unauthorized changes to [Assignment: organization-defined configuration settings]: [Assignment: organization-defined actions]. (CM-6(2) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Take the following actions in response to unauthorized changes to [Assignment: organization-defined configuration settings]: [Assignment: organization-defined actions]. (CM-6(2) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • The organization employs [Assignment: organization-defined security safeguards] to respond to unauthorized changes to [Assignment: organization-defined configuration settings]. (CM-6(2) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization employs [Assignment: organization-defined security safeguards] to respond to unauthorized changes to [Assignment: organization-defined configuration settings]. (CM-6(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization employs [Assignment: organization-defined security safeguards] to respond to unauthorized changes to [Assignment: organization-defined configuration settings]. (CM-6(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Take the following actions in response to unauthorized changes to [Assignment: organization-defined configuration settings]: [Assignment: organization-defined actions]. (CM-6(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Take the following actions in response to unauthorized changes to [Assignment: organization-defined configuration settings]: [Assignment: organization-defined actions]. (CM-6(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The organization employs [Assignment: organization-defined security safeguards] to respond to unauthorized changes to [Assignment: organization-defined configuration settings]. (CM-6(2) ¶ 1, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)