UEM-07: Operating Systems

CSF v1.1 References:

PF v1.0 References:

Info icon.

Control is new to this version of the control set and incorporates the following controls from the previous version: MOS-15: Operating Systems, MOS-19: Security Patches.

Control Statement

Manage changes to endpoint operating systems, patch levels, and/or applications through the company's change management processes.

Implementation Guidance

The organization should consider the following points:

  1. Changes should be managed strictly and consistently.
  2. Formal management responsibilities and procedures should facilitate satisfactory control of all changes to endpoint operating systems, patch levels, and/or applications, including:
  3. The identification and recording of significant changes.
  4. The planning and testing of changes.
  5. The assessment of the potential impacts (including security impacts) of such changes.
  6. The formal approval for proposed changes.
  7. The communication of change details to all respective stakeholders.

Fallback procedures and responsibilities should be defined and implemented, including guidelines for aborting and recovering from unsuccessful changes and unforeseen events.

Auditing Guidance

  1. Examine the organization's change management policy for controls related to changes on endpoints.
  2. Determine if such controls are in place for making changes to production and infrastructure systems and if the controls are evaluated as effective.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.