Back

Include version control in the change control program.


CONTROL ID
13119
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a change control program., CC ID: 00886

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Change management is the process of planning, scheduling, applying, distributing and tracking changes to application systems, system software (e.g. operating systems and utilities), hardware, network systems, and other IT facilities and equipment. An effective change management process helps to ensu… (4.3.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • a software source code control system and appropriate procedures to prevent unauthorised changes in the source code of software that is developed in-house; (Title 3 3.3.4(c) 56.f, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • control of changes (e.g. version control); (§ 7.5.3 ¶ 2 Bullet 3, ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • control of changes (e.g. version control); (§ 7.5.3 ¶ 2 Bullet 3, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • control of changes (e.g. version control); (§ 7.5.3.2 c), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • control of changes (e.g. version control); (§ 7.5.3 ¶ 2 bullet 3, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • control of changes (e.g. version control); (§ 7.5.3 ¶ 2 Bullet 3, ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • The organization shall identify, review and control changes made during, or subsequent to, the design and development of products and services, to the extent necessary to ensure that there is no adverse impact on conformity to requirements. (8.3.6 ¶ 1, ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • control of changes (e.g. version control); (7.5.3.2 ¶ 1(c), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • control of changes (e.g. version control); (§ 7.5.3 ¶ 2 bullet 3, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • control of changes (e.g. version control); (§ 7.5.3.2(c), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • Generally, IT processing is inherently consistent; therefore, the service auditor may be able to limit the testing to one or a few instances of the control operation. An automated control usually functions consistently unless the program, including the tables, files, or other permanent data used by … (¶ 3.138, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Generally, IT processing is inherently consistent; therefore, the service auditor may be able to limit the testing to one or a few instances of a control's operation. An automated control usually functions consistently unless the program, including the tables, files, or other permanent data used by … (¶ 3.153, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Verify that management documents, tracks, and resolves any changes when updating the BCP and the exercise and testing program(s). Furthermore, verify that management maintains appropriate version control of key BCM documents. (App A Objective 11:3, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • VM versioning, replication, and life cycle policies for backup processes. (App A Objective 15:4a Bullet 8, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether the financial institution has enhanced its change management program to address the procedures involved in the RDC function and ensure ongoing compatibility between financial institution and customer systems. Describe the coordination process. (App A Tier 2 Objectives and Procedures N.11 Bullet 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Identify and leverage the enterprise-wide version control system while designing and developing secure applications. (T0303, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Organizations should implement management practices and tools to validate the versioning of components provided for base OS management and functionality. Even though containerspecific OSs have a much more minimal set of components than general-purpose OSs, they still do have vulnerabilities and stil… (4.5.3 ¶ 1, NIST SP 800-190, Application Container Security Guide)
  • The ISCP Coordinator should coordinate frequently with associated internal and external organizations and system POCs to ensure that impacts caused by changes within any organization will be reflected in the contingency plan. Strict version control must be maintained by requesting old plans or plan … (§ 3.6 ¶ 5, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Identify and leverage the enterprise-wide version control system while designing and developing secure applications. (T0303, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)