compliance controls are associated with this Policy definition 'Require developers to implement only approved changes' (085467a6-9679-5c65-584a-f55acefd0d43)
Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
FedRAMP_High_R4 |
SA-10 |
FedRAMP_High_R4_SA-10 |
FedRAMP High SA-10 |
System And Services Acquisition |
Developer Configuration Management |
Shared |
n/a |
The organization requires the developer of the information system, system component, or information system service to:
a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation];
b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management];
c. Implement only organization-approved changes to the system, component, or service;
d. Document approved changes to the system, component, or service and the potential security impacts of such changes; and
e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel].
Supplemental Guidance: This control also applies to organizations conducting internal information systems development and integration. Organizations consider the quality and completeness of the configuration management activities conducted by developers as evidence of applying effective security safeguards. Safeguards include, for example, protecting from unauthorized modification or destruction, the master copies of all material used to generate security-relevant portions of the system hardware, software, and firmware. Maintaining the integrity of changes to the information system, information system component, or information system service requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes. Configuration items that are placed under configuration management (if existence/use is required by other security controls) include: the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and software/firmware source code with previous versions; and test fixtures and documentation. Depending on the mission/business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance phases of the life cycle. Related controls: CM-3, CM-4, CM-9, SA-12, SI-2.
References: NIST Special Publication 800-128. |
link |
9 |
FedRAMP_Moderate_R4 |
SA-10 |
FedRAMP_Moderate_R4_SA-10 |
FedRAMP Moderate SA-10 |
System And Services Acquisition |
Developer Configuration Management |
Shared |
n/a |
The organization requires the developer of the information system, system component, or information system service to:
a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation];
b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management];
c. Implement only organization-approved changes to the system, component, or service;
d. Document approved changes to the system, component, or service and the potential security impacts of such changes; and
e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel].
Supplemental Guidance: This control also applies to organizations conducting internal information systems development and integration. Organizations consider the quality and completeness of the configuration management activities conducted by developers as evidence of applying effective security safeguards. Safeguards include, for example, protecting from unauthorized modification or destruction, the master copies of all material used to generate security-relevant portions of the system hardware, software, and firmware. Maintaining the integrity of changes to the information system, information system component, or information system service requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes. Configuration items that are placed under configuration management (if existence/use is required by other security controls) include: the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and software/firmware source code with previous versions; and test fixtures and documentation. Depending on the mission/business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance phases of the life cycle. Related controls: CM-3, CM-4, CM-9, SA-12, SI-2.
References: NIST Special Publication 800-128. |
link |
9 |
hipaa |
0671.10k1System.1-10.k |
hipaa-0671.10k1System.1-10.k |
0671.10k1System.1-10.k |
06 Configuration Management |
0671.10k1System.1-10.k 10.05 Security In Development and Support Processes |
Shared |
n/a |
The organization manages changes to mobile device operating systems, patch levels, and/or applications through a formal change management process. |
|
16 |
hipaa |
0791.10b2Organizational.4-10.b |
hipaa-0791.10b2Organizational.4-10.b |
0791.10b2Organizational.4-10.b |
07 Vulnerability Management |
0791.10b2Organizational.4-10.b 10.02 Correct Processing in Applications |
Shared |
n/a |
Procedures, guidelines, and standards for the development of applications are periodically reviewed, assessed, and updated as necessary by the appointed senior-level information security official of the organization. |
|
8 |
hipaa |
17101.10a3Organizational.6-10.a |
hipaa-17101.10a3Organizational.6-10.a |
17101.10a3Organizational.6-10.a |
17 Risk Management |
17101.10a3Organizational.6-10.a 10.01 Security Requirements of Information Systems |
Shared |
n/a |
The organization requires the developer of the information system, system component, or information system service to provide specific control design and implementation information. |
|
7 |
hipaa |
1788.10a2Organizational.2-10.a |
hipaa-1788.10a2Organizational.2-10.a |
1788.10a2Organizational.2-10.a |
17 Risk Management |
1788.10a2Organizational.2-10.a 10.01 Security Requirements of Information Systems |
Shared |
n/a |
The organization has established and appropriately protected secure development environments for system development and integration efforts that cover the entire system development life cycle. |
|
9 |
ISO27001-2013 |
A.12.1.2 |
ISO27001-2013_A.12.1.2 |
ISO 27001:2013 A.12.1.2 |
Operations Security |
Change management |
Shared |
n/a |
Changes to organization, business processes, information processing facilities and systems that affect information security shall be controlled. |
link |
27 |
ISO27001-2013 |
A.14.2.2 |
ISO27001-2013_A.14.2.2 |
ISO 27001:2013 A.14.2.2 |
System Acquisition, Development And Maintenance |
System change control procedures |
Shared |
n/a |
Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures. |
link |
25 |
ISO27001-2013 |
A.14.2.4 |
ISO27001-2013_A.14.2.4 |
ISO 27001:2013 A.14.2.4 |
System Acquisition, Development And Maintenance |
Restrictions on changes to software packages |
Shared |
n/a |
Modifications to software packages shall be discouraged, limited to necessary changes and all changes shall be strictly controlled. |
link |
24 |
ISO27001-2013 |
A.14.2.7 |
ISO27001-2013_A.14.2.7 |
ISO 27001:2013 A.14.2.7 |
System Acquisition, Development And Maintenance |
Outsourced development |
Shared |
n/a |
The organization shall supervise and monitor the activity of outsourced system development. |
link |
28 |
ISO27001-2013 |
C.8.1 |
ISO27001-2013_C.8.1 |
ISO 27001:2013 C.8.1 |
Operation |
Operational planning and control |
Shared |
n/a |
The organization shall plan, implement and control the processes needed to meet information security
requirements, and to implement the actions determined in 6.1. The organization shall also implement
plans to achieve information security objectives determined in 6.2.
The organization shall keep documented information to the extent necessary to have confidence that
the processes have been carried out as planned.
The organization shall control planned changes and review the consequences of unintended changes,
taking action to mitigate any adverse effects, as necessary.
The organization shall ensure that outsourced processes are determined and controlled. |
link |
21 |
|
mp.eq.2 User session lockout |
mp.eq.2 User session lockout |
404 not found |
|
|
|
n/a |
n/a |
|
29 |
|
mp.sw.1 IT Aplications development |
mp.sw.1 IT Aplications development |
404 not found |
|
|
|
n/a |
n/a |
|
51 |
|
mp.sw.2 Acceptance and commissioning |
mp.sw.2 Acceptance and commissioning |
404 not found |
|
|
|
n/a |
n/a |
|
60 |
NIST_SP_800-53_R4 |
SA-10 |
NIST_SP_800-53_R4_SA-10 |
NIST SP 800-53 Rev. 4 SA-10 |
System And Services Acquisition |
Developer Configuration Management |
Shared |
n/a |
The organization requires the developer of the information system, system component, or information system service to:
a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation];
b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management];
c. Implement only organization-approved changes to the system, component, or service;
d. Document approved changes to the system, component, or service and the potential security impacts of such changes; and
e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel].
Supplemental Guidance: This control also applies to organizations conducting internal information systems development and integration. Organizations consider the quality and completeness of the configuration management activities conducted by developers as evidence of applying effective security safeguards. Safeguards include, for example, protecting from unauthorized modification or destruction, the master copies of all material used to generate security-relevant portions of the system hardware, software, and firmware. Maintaining the integrity of changes to the information system, information system component, or information system service requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes. Configuration items that are placed under configuration management (if existence/use is required by other security controls) include: the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and software/firmware source code with previous versions; and test fixtures and documentation. Depending on the mission/business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance phases of the life cycle. Related controls: CM-3, CM-4, CM-9, SA-12, SI-2.
References: NIST Special Publication 800-128. |
link |
9 |
NIST_SP_800-53_R5 |
SA-10 |
NIST_SP_800-53_R5_SA-10 |
NIST SP 800-53 Rev. 5 SA-10 |
System and Services Acquisition |
Developer Configuration Management |
Shared |
n/a |
Require the developer of the system, system component, or system service to:
a. Perform configuration management during system, component, or service [Selection (OneOrMore): design;development;implementation;operation;disposal] ;
b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management];
c. Implement only organization-approved changes to the system, component, or service;
d. Document approved changes to the system, component, or service and the potential security and privacy impacts of such changes; and
e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel]. |
link |
9 |
|
op.exp.4 Security maintenance and updates |
op.exp.4 Security maintenance and updates |
404 not found |
|
|
|
n/a |
n/a |
|
78 |
|
op.exp.5 Change management |
op.exp.5 Change management |
404 not found |
|
|
|
n/a |
n/a |
|
71 |
|
org.4 Authorization process |
org.4 Authorization process |
404 not found |
|
|
|
n/a |
n/a |
|
126 |
SWIFT_CSCF_v2022 |
8.5 |
SWIFT_CSCF_v2022_8.5 |
SWIFT CSCF v2022 8.5 |
8. Set and Monitor Performance |
Ensure early availability of SWIFTNet releases and of the FIN standards for proper testing by the customer before going live. |
Shared |
n/a |
Ensure early availability of SWIFTNet releases and of the FIN standards for proper testing by the customer before going live. |
link |
11 |