Back

Assign the roles and responsibilities for the change control program.


CONTROL ID
13118
CONTROL TYPE
Human Resources Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Define and assign workforce roles and responsibilities., CC ID: 13267

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Change management is the process of planning, scheduling, applying, distributing and tracking changes to application systems, system software (e.g. operating systems and utilities), hardware, network systems, and other IT facilities and equipment. An effective change management process helps to ensu… (4.3.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • Changes to the application should be performed by skilled and competent individuals who are capable of making changes correctly and securely and signed off by an appropriate business official. (Critical components of information security 20) iv., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The implementation of the security safeguards should be evaluated at regular intervals by means of internal audits. These also serve the purpose of collecting and evaluating the experiences made in dayto-day practice. In addition to audits, it is also necessary to perform drills and awareness-raisin… (§ 7.4 ¶ 2, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • All changes to the cloud service are subjected to tests (e. g. for integration, regression, security and user acceptance) during the development and before they are made available to the production environment. The tests are carried out by adequately qualified personnel of the cloud provider. Accord… (Section 5.11 BEI-07 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Change management procedures include role-based authorisations in order to ensure an appropriate separation of duties regarding the development, release and migration of changes between the environments. (Section 5.11 BEI-12 Basic requirement, Cloud Computing Compliance Controls Catalogue (C5))
  • The access and management of the logging and monitoring functionalities is limited to selected and authorised employees of the cloud provider. Changes to the logging and monitoring are checked by independent and authorised employees and approved beforehand. (Section 5.6 RB-15 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • ensuring that the integrity of the quality management system is maintained when changes to the quality management system are planned and implemented. (5.3 ¶ 2(e), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • plan their implementation and assign tasks, responsibilities, deadlines and resources; (§ 8.1 Guidance ¶ 2(i), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • The entity assigns responsibility and accountability for the management of risks and changes to services associated with vendors and business partners. (CC9.2 ¶ 3 Bullet 4 Assigns Responsibility and Accountability for Managing Vendors and Business Partners, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The organization requires an information security representative to be a member of the [Assignment: organization-defined configuration change control element]. (CM-3(4) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Designation of personnel who are responsible for maintaining changes in processes, personnel, and environment(s); and (TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:9 Bullet 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Identification of responsible staff, applicable stakeholder working groups, or entity committees. (App A Objective 6:3c, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Require [Assignment: organization-defined security and privacy representatives] to be members of the [FedRAMP Assignment: Configuration control board (CCB) or similar (as defined in CM-3)]. (CM-3(4) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • Require [Assignment: organization-defined security and privacy representatives] to be members of the [FedRAMP Assignment: Configuration control board (CCB) or similar (as defined in CM-3)]. (CM-3(4) ¶ 1, FedRAMP Security Controls Moderate Baseline, Version 5)
  • Require [Assignment: organization-defined security and privacy representatives] to be members of the [Assignment: organization-defined configuration change control element]. (CM-3(4) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Require [Assignment: organization-defined security and privacy representatives] to be members of the [Assignment: organization-defined configuration change control element]. (CM-3(4) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Require [Assignment: organization-defined security and privacy representatives] to be members of the [Assignment: organization-defined configuration change control element]. (CM-3(4) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Require [Assignment: organization-defined security and privacy representatives] to be members of the [Assignment: organization-defined configuration change control element]. (CM-3(4) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • The organization requires an information security representative to be a member of the [Assignment: organization-defined configuration change control element]. (CM-3(4) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Require [Assignment: organization-defined security and privacy representatives] to be members of the [Assignment: organization-defined configuration change control element]. (CM-3(4) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Require [Assignment: organization-defined security and privacy representatives] to be included in the [Assignment: organization-defined configuration change management and control process]. (SA-10(7) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Require [Assignment: organization-defined security and privacy representatives] to be members of the [Assignment: organization-defined configuration change control element]. (CM-3(4) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Require [Assignment: organization-defined security and privacy representatives] to be included in the [Assignment: organization-defined configuration change management and control process]. (SA-10(7) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)