PR.IP-3: Configuration change control processes are in place
PF v1.0 References:
Threats Addressed:
Description
[csf.tools Note: Subcategories do not have detailed descriptions.]
Related Controls
NIST Special Publication 800-53 Revision 5
CM-3: Configuration Change Control
Determine and document the types of changes to the system that are configuration-controlled; Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses; Document configuration change decisions associated with the system; Implement approved configuration-controlled changes to the system; Retain records of configuration-controlled changes…
CM-4: Impact Analyses
Analyze changes to the system to determine potential security and privacy impacts prior to change implementation.
SA-10: Developer Configuration Management
Require the developer of the system, system component, or system service to: Perform configuration management during system, component, or service [Assignment (one or more): design, development, implementation, operation, disposal]; Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; Implement only organization-approved changes to the system, component, or service;…
NIST Special Publication 800-171 Revision 2
3.4.3: Track, review, approve or disapprove, and log changes to organizational systems
Tracking, reviewing, approving/disapproving, and logging changes is called configuration change control. Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of systems, changes to configuration…
3.4.4: Analyze the security impact of changes prior to implementation
Organizational personnel with information security responsibilities (e.g., system administrators, system security officers, system security managers, and systems security engineers) conduct security impact analyses. Individuals conducting security impact analyses possess the necessary skills and technical expertise to analyze the changes to systems and the associated security ramifications. Security impact analysis may include reviewing security plans to…
3.4.5: Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems
Any changes to the hardware, software, or firmware components of systems can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes, including upgrades and modifications. Access restrictions for change also include software libraries. Access restrictions include physical…
Cloud Controls Matrix v3.0.1
CCC-01: New Development / Acquisition
Policies and procedures shall be established, and supporting business processes and technical measures implemented, to ensure the development and/or acquisition of new data, physical or virtual applications, infrastructure network, and systems components, or any corporate, operations and/or data center facilities have been pre-authorized by the organization’s business leadership or other accountable business role or function.
CCC-02: Outsourced Development
External business partners shall adhere to the same policies and procedures for change management, release, and testing as internal developers within the organization (e.g., ITIL service management processes).
CCC-03: Quality Testing
Organizations shall follow a defined quality change control and testing process (e.g., ITIL Service Management) with established baselines, testing, and release standards that focus on system availability, confidentiality, and integrity of systems and services.
CCC-04: Unauthorized Software Installations
Policies and procedures shall be established, and supporting business processes and technical measures implemented, to restrict the installation of unauthorized software on organizationally-owned or managed user end-point devices (e.g., issued workstations, laptops, and mobile devices) and IT infrastructure network and systems components.
CCC-05: Production Changes
Policies and procedures shall be established for managing the risks associated with applying changes to: Business-critical or customer (tenant)-impacting (physical and virtual) applications and system-system interface (API) designs and configurations. Infrastructure network and systems components. Technical measures shall be implemented to provide assurance that all changes directly correspond to a registered change request, business-critical or…
IVS-02: Change Detection
The provider shall ensure the integrity of all virtual machine images at all times. Any changes made to virtual machine images must be logged and an alert raised regardless of their running state (e.g., dormant, off, or running). The results of a change or move of an image and the subsequent validation of the image’s…
NIST Special Publication 800-53 Revision 4
CM-3: Configuration Change Control
The organization: Determines the types of changes to the information system that are configuration-controlled; Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses; Documents configuration change decisions associated with the information system; Implements approved configuration-controlled changes to the information system; Retains records of…
CM-4: Security Impact Analysis
The organization analyzes changes to the information system to determine potential security impacts prior to change implementation.
SA-10: Developer Configuration Management
The organization requires the developer of the information system, system component, or information system service to: Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation]; Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; Implement only organization-approved changes to the system,…
Critical Security Controls Version 7.1
11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Establish, implement, and actively manage (track, report on, correct) the security configuration of network infrastructure devices using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
18: Application Software Security
Manage the security life cycle of all in-house developed and acquired software in order to prevent, detect, and correct security weaknesses.