compliance controls are associated with this Policy definition 'Automate process to prohibit implementation of unapproved changes' (7d10debd-4775-85a7-1a41-7e128e0e8c50)
Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
FedRAMP_High_R4 |
CM-3(1) |
FedRAMP_High_R4_CM-3(1) |
FedRAMP High CM-3 (1) |
Configuration Management |
Automated Document / Notification / Prohibition Of Changes |
Shared |
n/a |
The organization employs automated mechanisms to:
(a) Document proposed changes to the information system;
(b) Notify [Assignment: organized-defined approval authorities] of proposed changes to the information system and request change approval;
(c) Highlight proposed changes to the information system that have not been approved or disapproved by [Assignment: organization-defined time period];
(d) Prohibit changes to the information system until designated approvals are received;
(e) Document all changes to the information system; and
(f) Notify [Assignment: organization-defined personnel] when approved changes to the information system are completed. |
link |
6 |
hipaa |
0638.10k2Organizational.34569-10.k |
hipaa-0638.10k2Organizational.34569-10.k |
0638.10k2Organizational.34569-10.k |
06 Configuration Management |
0638.10k2Organizational.34569-10.k 10.05 Security In Development and Support Processes |
Shared |
n/a |
Changes are formally controlled, documented, and enforced in order to minimize the corruption of information systems. |
|
14 |
hipaa |
0671.10k1System.1-10.k |
hipaa-0671.10k1System.1-10.k |
0671.10k1System.1-10.k |
06 Configuration Management |
0671.10k1System.1-10.k 10.05 Security In Development and Support Processes |
Shared |
n/a |
The organization manages changes to mobile device operating systems, patch levels, and/or applications through a formal change management process. |
|
16 |
ISO27001-2013 |
A.12.1.2 |
ISO27001-2013_A.12.1.2 |
ISO 27001:2013 A.12.1.2 |
Operations Security |
Change management |
Shared |
n/a |
Changes to organization, business processes, information processing facilities and systems that affect information security shall be controlled. |
link |
27 |
ISO27001-2013 |
A.12.5.1 |
ISO27001-2013_A.12.5.1 |
ISO 27001:2013 A.12.5.1 |
Operations Security |
Installation of software on operational systems |
Shared |
n/a |
Procedures shall be implemented to control the installation of software on operational systems. |
link |
18 |
ISO27001-2013 |
A.12.6.2 |
ISO27001-2013_A.12.6.2 |
ISO 27001:2013 A.12.6.2 |
Operations Security |
Restrictions on software installation |
Shared |
n/a |
Rules governing the installation of software by users shall be established and implemented. |
link |
18 |
ISO27001-2013 |
A.14.2.2 |
ISO27001-2013_A.14.2.2 |
ISO 27001:2013 A.14.2.2 |
System Acquisition, Development And Maintenance |
System change control procedures |
Shared |
n/a |
Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures. |
link |
25 |
ISO27001-2013 |
A.14.2.3 |
ISO27001-2013_A.14.2.3 |
ISO 27001:2013 A.14.2.3 |
System Acquisition, Development And Maintenance |
Technical review of applications after operating platform changes |
Shared |
n/a |
When operating platforms are changed, business critical applications shall be reviewed and tested to ensure there is no adverse impact on organizational operations or security. |
link |
18 |
ISO27001-2013 |
A.14.2.4 |
ISO27001-2013_A.14.2.4 |
ISO 27001:2013 A.14.2.4 |
System Acquisition, Development And Maintenance |
Restrictions on changes to software packages |
Shared |
n/a |
Modifications to software packages shall be discouraged, limited to necessary changes and all changes shall be strictly controlled. |
link |
24 |
ISO27001-2013 |
C.8.1 |
ISO27001-2013_C.8.1 |
ISO 27001:2013 C.8.1 |
Operation |
Operational planning and control |
Shared |
n/a |
The organization shall plan, implement and control the processes needed to meet information security
requirements, and to implement the actions determined in 6.1. The organization shall also implement
plans to achieve information security objectives determined in 6.2.
The organization shall keep documented information to the extent necessary to have confidence that
the processes have been carried out as planned.
The organization shall control planned changes and review the consequences of unintended changes,
taking action to mitigate any adverse effects, as necessary.
The organization shall ensure that outsourced processes are determined and controlled. |
link |
21 |
|
mp.eq.2 User session lockout |
mp.eq.2 User session lockout |
404 not found |
|
|
|
n/a |
n/a |
|
29 |
|
mp.sw.2 Acceptance and commissioning |
mp.sw.2 Acceptance and commissioning |
404 not found |
|
|
|
n/a |
n/a |
|
60 |
NIST_SP_800-171_R2_3 |
.4.3 |
NIST_SP_800-171_R2_3.4.3 |
NIST SP 800-171 R2 3.4.3 |
Configuration Management |
Track, review, approve or disapprove, and log changes to organizational systems. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Tracking, reviewing, approving/disapproving, and logging changes is called configuration change control. Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled and unauthorized changes, and changes to remediate vulnerabilities. Processes for managing configuration changes to systems include Configuration Control Boards or Change Advisory Boards that review and approve proposed changes to systems. For new development systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards or Change Advisory Boards. Audit logs of changes include activities before and after changes are made to organizational systems and the activities required to implement such changes. [SP 800-128] provides guidance on configuration change control. |
link |
15 |
NIST_SP_800-53_R4 |
CM-3(1) |
NIST_SP_800-53_R4_CM-3(1) |
NIST SP 800-53 Rev. 4 CM-3 (1) |
Configuration Management |
Automated Document / Notification / Prohibition Of Changes |
Shared |
n/a |
The organization employs automated mechanisms to:
(a) Document proposed changes to the information system;
(b) Notify [Assignment: organized-defined approval authorities] of proposed changes to the information system and request change approval;
(c) Highlight proposed changes to the information system that have not been approved or disapproved by [Assignment: organization-defined time period];
(d) Prohibit changes to the information system until designated approvals are received;
(e) Document all changes to the information system; and
(f) Notify [Assignment: organization-defined personnel] when approved changes to the information system are completed. |
link |
6 |
NIST_SP_800-53_R5 |
CM-3(1) |
NIST_SP_800-53_R5_CM-3(1) |
NIST SP 800-53 Rev. 5 CM-3 (1) |
Configuration Management |
Automated Documentation, Notification, and Prohibition of Changes |
Shared |
n/a |
Use [Assignment: organization-defined automated mechanisms] to:
(a) Document proposed changes to the system;
(b) Notify [Assignment: organization-defined approval authorities] of proposed changes to the system and request change approval;
(c) Highlight proposed changes to the system that have not been approved or disapproved within [Assignment: organization-defined time period];
(d) Prohibit changes to the system until designated approvals are received;
(e) Document all changes to the system; and
(f) Notify [Assignment: organization-defined personnel] when approved changes to the system are completed. |
link |
6 |
|
op.exp.4 Security maintenance and updates |
op.exp.4 Security maintenance and updates |
404 not found |
|
|
|
n/a |
n/a |
|
78 |
|
op.exp.5 Change management |
op.exp.5 Change management |
404 not found |
|
|
|
n/a |
n/a |
|
71 |
|
org.4 Authorization process |
org.4 Authorization process |
404 not found |
|
|
|
n/a |
n/a |
|
126 |