Back

Establish, implement, and maintain a back-out plan.


CONTROL ID
13623
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a change control program., CC ID: 00886

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain back-out procedures for each proposed change in a change request., CC ID: 00373
  • Approve back-out plans, as necessary., CC ID: 13627


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Including methods of dealing with the failed deployment of a patch (e.g., redeployment of the patch). (Critical components of information security 19) iii.g., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Back-out positions should be established so that the application can recover from failed changes or unexpected results (Critical components of information security 20) iii. Bullet 5, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • implementation plans that include, as appropriate, a back-out/fall-back strategy that provides reasonable assurance that a failed deployment can be reversed or otherwise managed. (Attachment A ¶ 2(i), The AD_offical_Name should be: APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Procedures to address failures and return to a secure state. (6.5.1 Bullet 6, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Procedures to address failures and return to a secure state. (6.5.1 Bullet 6, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Procedures to address failures and return to a secure state. (6.5.1 Bullet 6, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Procedures to address failures and return to a secure state. (6.5.1 Bullet 6, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Procedures to address failures and return to a secure state. (6.5.1 Bullet 6, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Define and implement a process to proactively roll back changes to a previous known good state in case of errors or security concerns. (CCC-09, Cloud Controls Matrix, v4.0)
  • The release shall be verified against documented acceptance criteria and approved before deployment. If the acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. (§ 8.5.3 ¶ 3, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • The organization shall review changes for effectiveness and take actions agreed with interested parties. (§ 8.5.1.3 ¶ 4, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • The activities to reverse or remedy an unsuccessful change shall be planned and, where possible, tested. Unsuccessful changes shall be investigated and agreed actions taken. (§ 8.5.1.3 ¶ 3, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • Rollback capabilities when installing patches, updates, etc. (§ 5.10.4.1 ¶ 2(2), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)