PR.PO-P2: Configuration change control processes are established and in place
CSF v1.1 References:
Threats Addressed:
Description
[csf.tools Note: Subcategories do not have detailed descriptions.]
Related Controls
NIST Special Publication 800-53 Revision 5
CM-3: Configuration Change Control
Determine and document the types of changes to the system that are configuration-controlled; Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses; Document configuration change decisions associated with the system; Implement approved configuration-controlled changes to the system; Retain records of configuration-controlled changes…
CM-4: Impact Analyses
Analyze changes to the system to determine potential security and privacy impacts prior to change implementation.
SA-10: Developer Configuration Management
Require the developer of the system, system component, or system service to: Perform configuration management during system, component, or service [Assignment (one or more): design, development, implementation, operation, disposal]; Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; Implement only organization-approved changes to the system, component, or service;…
Cloud Controls Matrix v3.0.1
CCC-01: New Development / Acquisition
Policies and procedures shall be established, and supporting business processes and technical measures implemented, to ensure the development and/or acquisition of new data, physical or virtual applications, infrastructure network, and systems components, or any corporate, operations and/or data center facilities have been pre-authorized by the organization’s business leadership or other accountable business role or function.
CCC-02: Outsourced Development
External business partners shall adhere to the same policies and procedures for change management, release, and testing as internal developers within the organization (e.g., ITIL service management processes).
CCC-03: Quality Testing
Organizations shall follow a defined quality change control and testing process (e.g., ITIL Service Management) with established baselines, testing, and release standards that focus on system availability, confidentiality, and integrity of systems and services.
CCC-04: Unauthorized Software Installations
Policies and procedures shall be established, and supporting business processes and technical measures implemented, to restrict the installation of unauthorized software on organizationally-owned or managed user end-point devices (e.g., issued workstations, laptops, and mobile devices) and IT infrastructure network and systems components.
CCC-05: Production Changes
Policies and procedures shall be established for managing the risks associated with applying changes to: Business-critical or customer (tenant)-impacting (physical and virtual) applications and system-system interface (API) designs and configurations. Infrastructure network and systems components. Technical measures shall be implemented to provide assurance that all changes directly correspond to a registered change request, business-critical or…
IVS-02: Change Detection
The provider shall ensure the integrity of all virtual machine images at all times. Any changes made to virtual machine images must be logged and an alert raised regardless of their running state (e.g., dormant, off, or running). The results of a change or move of an image and the subsequent validation of the image’s…
NIST Special Publication 800-53 Revision 4
CM-3: Configuration Change Control
The organization: Determines the types of changes to the information system that are configuration-controlled; Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses; Documents configuration change decisions associated with the information system; Implements approved configuration-controlled changes to the information system; Retains records of…
CM-4: Security Impact Analysis
The organization analyzes changes to the information system to determine potential security impacts prior to change implementation.
SA-10: Developer Configuration Management
The organization requires the developer of the information system, system component, or information system service to: Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation]; Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; Implement only organization-approved changes to the system,…
Critical Security Controls Version 7.1
11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Establish, implement, and actively manage (track, report on, correct) the security configuration of network infrastructure devices using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
18: Application Software Security
Manage the security life cycle of all in-house developed and acquired software in order to prevent, detect, and correct security weaknesses.