The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives
A process for managing system changes throughout the lifecycle of the system and its components (infrastructure, data, software and procedures) is used to support system availability and processing integrity
A process is in place to authorize system changes prior to development
A process is in place to design and develop system changes
A process is in place to document system changes to support ongoing maintenance of the system and to support system users in performing their responsibilities
A process is in place to track system changes prior to implementation
A process is in place to select and implement the configuration parameters used to control the functionality of software
A process is in place to test system changes prior to implementation
A process is in place to approve system changes prior to implementation
A process is in place to implement system changes
Objectives affected by system changes are identified, and the ability of the modified system to meet the objectives is evaluated throughout the system development life cycle
Identifies Changes in Infrastructure, Data, Software, and Procedures Required to Remediate Incidents
Changes in infrastructure, data, software, and procedures required to remediate incidents to continue to meet objectives are identified, and the change process is initiated upon identification
A baseline configuration of IT and control systems is created and maintained
A process is in place for authorizing, designing, testing, approving and implementing changes necessary in emergency situations (that is, changes that need to be implemented in an urgent timeframe)
The entity protects confidential information during system design, development, testing, implementation, and change processes to meet the entity’s objectives related to confidentiality
The entity protects personal information during system design, development, testing, implementation, and change processes to meet the entity’s objectives related to privacy.
- CFG-02 - System Hardening Through Baseline Configurations
- CFG-02.1 - Reviews & Updates
- CFG-02.2 - Automated Central Management & Verification
- CHG-01 - Change Management Program
- CHG-02 - Configuration Change Control
- CHG-02.2 - Test, Validate & Document Changes
- CHG-05 - Stakeholder Notification of Changes
- PRM-07 - Secure Development Life Cycle (SDLC) Management