Back

Authorize new assets prior to putting them into the production environment.


CONTROL ID
13530
CONTROL TYPE
Process or Activity
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain facilities, assets, and services acceptance procedures., CC ID: 01144

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • To ensure security, it is necessary to act comprehensively by combining the following measures. It is necessary to pay attention to the latest trends in security technology and to correctly evaluate the stability, compatibility, and usability of such a technology before adopting it. (P13.3. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • For security technology used to connect to the Internet, it is necessary to pay attention to the latest trends and to correctly evaluate the stability, compatibility, and usability of such a technology before adopting it. (P14.8. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • has matured to a state where there is a generally agreed set of industry-accepted controls to manage the security of the technology; or (61(a)., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • that have matured to a state where there is a generally agreed set of industry-accepted controls to manage the security of the technology; or (¶ 63(a), APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • New internal and external infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and softwa… (CC6.1 ¶ 3 Bullet 9 Manages Credentials for Infrastructure and Software, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Ensures that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles]. (SA-9(1)(b), StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Ensures that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles]. (SA-9(1)(b), StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Ensures that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles]. (SA-9(1)(b), StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • New internal and external infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and softwa… (CC6.1 Manages Credentials for Infrastructure and Software, Trust Services Criteria)
  • New internal and external infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and softwa… (CC6.1 ¶ 2 Bullet 8 Manages Credentials for Infrastructure and Software, Trust Services Criteria, (includes March 2020 updates))
  • Approved the selected software's use and determined that it met the entity's infrastructure requirements and strategic objectives. (App A Objective 13:5c Bullet 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Ensures that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles]. (SA-9(1)(b) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Ensures that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles]. (SA-9(1)(b) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Verify that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles]. (SA-9(1)(b), FedRAMP Security Controls High Baseline, Version 5)
  • Verify that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles]. (SA-9(1)(b), FedRAMP Security Controls Moderate Baseline, Version 5)
  • Verify that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles]. (SA-9(1)(b), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Verify that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles]. (SA-9(1)(b), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Ensures that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles]. (SA-9(1)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Verify that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles]. (SA-9(1)(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Verify that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles]. (SA-9(1)(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Ensures that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles]. (SA-9(1) ¶ 1(b), Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Ensures that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles]. (SA-9(1)(b), TX-RAMP Security Controls Baseline Level 2)