last sync: 2024-Apr-24 17:46:58 UTC

Require developers to document approved changes and potential impact | Regulatory Compliance - Documentation

Azure BuiltIn Policy definition

Source Azure Portal
Display name Require developers to document approved changes and potential impact
Id 3a868d0c-538f-968b-0191-bddb44da5b75
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_C1597 - Require developers to document approved changes and potential impact
Additional metadata Name/Id: CMA_C1597 / CMA_C1597
Category: Documentation
Title: Require developers to document approved changes and potential impact
Ownership: Customer
Description: The customer is responsible for requiring the developer of customer-deployed resources to utilize configuration management, and to document approved changes and the potential security impacts of such changes.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 17 compliance controls are associated with this Policy definition 'Require developers to document approved changes and potential impact' (3a868d0c-538f-968b-0191-bddb44da5b75)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 SA-10 FedRAMP_High_R4_SA-10 FedRAMP High SA-10 System And Services Acquisition Developer Configuration Management Shared n/a The organization requires the developer of the information system, system component, or information system service to: a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation]; b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; c. Implement only organization-approved changes to the system, component, or service; d. Document approved changes to the system, component, or service and the potential security impacts of such changes; and e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel]. Supplemental Guidance: This control also applies to organizations conducting internal information systems development and integration. Organizations consider the quality and completeness of the configuration management activities conducted by developers as evidence of applying effective security safeguards. Safeguards include, for example, protecting from unauthorized modification or destruction, the master copies of all material used to generate security-relevant portions of the system hardware, software, and firmware. Maintaining the integrity of changes to the information system, information system component, or information system service requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes. Configuration items that are placed under configuration management (if existence/use is required by other security controls) include: the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and software/firmware source code with previous versions; and test fixtures and documentation. Depending on the mission/business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance phases of the life cycle. Related controls: CM-3, CM-4, CM-9, SA-12, SI-2. References: NIST Special Publication 800-128. link 9
FedRAMP_Moderate_R4 SA-10 FedRAMP_Moderate_R4_SA-10 FedRAMP Moderate SA-10 System And Services Acquisition Developer Configuration Management Shared n/a The organization requires the developer of the information system, system component, or information system service to: a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation]; b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; c. Implement only organization-approved changes to the system, component, or service; d. Document approved changes to the system, component, or service and the potential security impacts of such changes; and e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel]. Supplemental Guidance: This control also applies to organizations conducting internal information systems development and integration. Organizations consider the quality and completeness of the configuration management activities conducted by developers as evidence of applying effective security safeguards. Safeguards include, for example, protecting from unauthorized modification or destruction, the master copies of all material used to generate security-relevant portions of the system hardware, software, and firmware. Maintaining the integrity of changes to the information system, information system component, or information system service requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes. Configuration items that are placed under configuration management (if existence/use is required by other security controls) include: the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and software/firmware source code with previous versions; and test fixtures and documentation. Depending on the mission/business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance phases of the life cycle. Related controls: CM-3, CM-4, CM-9, SA-12, SI-2. References: NIST Special Publication 800-128. link 9
hipaa 0602.06g1Organizational.3-06.g hipaa-0602.06g1Organizational.3-06.g 0602.06g1Organizational.3-06.g 06 Configuration Management 0602.06g1Organizational.3-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance Shared n/a The results and recommendations of the reviews are documented and approved by management. 10
hipaa 0618.09b1System.1-09.b hipaa-0618.09b1System.1-09.b 0618.09b1System.1-09.b 06 Configuration Management 0618.09b1System.1-09.b 09.01 Documented Operating Procedures Shared n/a Changes to information assets, including systems, networks, and network services, are controlled and archived. 16
hipaa 0640.10k2Organizational.1012-10.k hipaa-0640.10k2Organizational.1012-10.k 0640.10k2Organizational.1012-10.k 06 Configuration Management 0640.10k2Organizational.1012-10.k 10.05 Security In Development and Support Processes Shared n/a Where development is outsourced, change control procedures to address security are included in the contract(s) and specifically require the developer to track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel or roles. 22
hipaa 0671.10k1System.1-10.k hipaa-0671.10k1System.1-10.k 0671.10k1System.1-10.k 06 Configuration Management 0671.10k1System.1-10.k 10.05 Security In Development and Support Processes Shared n/a The organization manages changes to mobile device operating systems, patch levels, and/or applications through a formal change management process. 16
hipaa 0791.10b2Organizational.4-10.b hipaa-0791.10b2Organizational.4-10.b 0791.10b2Organizational.4-10.b 07 Vulnerability Management 0791.10b2Organizational.4-10.b 10.02 Correct Processing in Applications Shared n/a Procedures, guidelines, and standards for the development of applications are periodically reviewed, assessed, and updated as necessary by the appointed senior-level information security official of the organization. 8
hipaa 1788.10a2Organizational.2-10.a hipaa-1788.10a2Organizational.2-10.a 1788.10a2Organizational.2-10.a 17 Risk Management 1788.10a2Organizational.2-10.a 10.01 Security Requirements of Information Systems Shared n/a The organization has established and appropriately protected secure development environments for system development and integration efforts that cover the entire system development life cycle. 9
hipaa 1795.10a2Organizational.13-10.a hipaa-1795.10a2Organizational.13-10.a 1795.10a2Organizational.13-10.a 17 Risk Management 1795.10a2Organizational.13-10.a 10.01 Security Requirements of Information Systems Shared n/a Independent acceptance testing proportional to the importance and nature of the system is performed both for in-house and for outsourced development to ensure the system works as expected and only as expected. 5
ISO27001-2013 A.12.1.2 ISO27001-2013_A.12.1.2 ISO 27001:2013 A.12.1.2 Operations Security Change management Shared n/a Changes to organization, business processes, information processing facilities and systems that affect information security shall be controlled. link 27
ISO27001-2013 A.14.2.2 ISO27001-2013_A.14.2.2 ISO 27001:2013 A.14.2.2 System Acquisition, Development And Maintenance System change control procedures Shared n/a Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures. link 25
ISO27001-2013 A.14.2.4 ISO27001-2013_A.14.2.4 ISO 27001:2013 A.14.2.4 System Acquisition, Development And Maintenance Restrictions on changes to software packages Shared n/a Modifications to software packages shall be discouraged, limited to necessary changes and all changes shall be strictly controlled. link 24
ISO27001-2013 A.14.2.7 ISO27001-2013_A.14.2.7 ISO 27001:2013 A.14.2.7 System Acquisition, Development And Maintenance Outsourced development Shared n/a The organization shall supervise and monitor the activity of outsourced system development. link 28
ISO27001-2013 C.8.1 ISO27001-2013_C.8.1 ISO 27001:2013 C.8.1 Operation Operational planning and control Shared n/a The organization shall plan, implement and control the processes needed to meet information security requirements, and to implement the actions determined in 6.1. The organization shall also implement plans to achieve information security objectives determined in 6.2. The organization shall keep documented information to the extent necessary to have confidence that the processes have been carried out as planned. The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. The organization shall ensure that outsourced processes are determined and controlled. link 21
NIST_SP_800-53_R4 SA-10 NIST_SP_800-53_R4_SA-10 NIST SP 800-53 Rev. 4 SA-10 System And Services Acquisition Developer Configuration Management Shared n/a The organization requires the developer of the information system, system component, or information system service to: a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation]; b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; c. Implement only organization-approved changes to the system, component, or service; d. Document approved changes to the system, component, or service and the potential security impacts of such changes; and e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel]. Supplemental Guidance: This control also applies to organizations conducting internal information systems development and integration. Organizations consider the quality and completeness of the configuration management activities conducted by developers as evidence of applying effective security safeguards. Safeguards include, for example, protecting from unauthorized modification or destruction, the master copies of all material used to generate security-relevant portions of the system hardware, software, and firmware. Maintaining the integrity of changes to the information system, information system component, or information system service requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes. Configuration items that are placed under configuration management (if existence/use is required by other security controls) include: the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and software/firmware source code with previous versions; and test fixtures and documentation. Depending on the mission/business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance phases of the life cycle. Related controls: CM-3, CM-4, CM-9, SA-12, SI-2. References: NIST Special Publication 800-128. link 9
NIST_SP_800-53_R5 SA-10 NIST_SP_800-53_R5_SA-10 NIST SP 800-53 Rev. 5 SA-10 System and Services Acquisition Developer Configuration Management Shared n/a Require the developer of the system, system component, or system service to: a. Perform configuration management during system, component, or service [Selection (OneOrMore): design;development;implementation;operation;disposal] ; b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; c. Implement only organization-approved changes to the system, component, or service; d. Document approved changes to the system, component, or service and the potential security and privacy impacts of such changes; and e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel]. link 9
SWIFT_CSCF_v2022 8.5 SWIFT_CSCF_v2022_8.5 SWIFT CSCF v2022 8.5 8. Set and Monitor Performance Ensure early availability of SWIFTNet releases and of the FIN standards for proper testing by the customer before going live. Shared n/a Ensure early availability of SWIFTNet releases and of the FIN standards for proper testing by the customer before going live. link 11
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-19 17:41:40 add 3a868d0c-538f-968b-0191-bddb44da5b75
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC