CCC: Change Control and Configuration Management

Controls

CCC-01: Change Management Policy and Procedures

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for managing the risks associated with applying changes to organization assets, including application, systems, infrastructure, configuration, etc., regardless of whether the assets are managed internally or externally (i.e., outsourced). Review and update the policies and procedures at least annually.

CCC-02: Quality Testing

Follow a defined quality change control, approval and testing process with established baselines, testing, and release standards.

CCC-03: Change Management Technology

Manage the risks associated with applying changes to organization assets, including application, systems, infrastructure, configuration, etc., regardless of whether the assets are managed internally or externally (i.e., outsourced).

CCC-05: Change Agreements

Include provisions limiting changes directly impacting CSCs owned environments/tenants to explicitly authorized requests within service level agreements between CSPs and CSCs.

CCC-08: Exception Management

'Implement a procedure for the management of exceptions, including emergencies, in the change and configuration process. Align the procedure with the requirements of GRC-04: Policy Exception Process.'

CCC-09: Change Restoration

Define and implement a process to proactively roll back changes to a previous known good state in case of errors or security concerns.