Does your organization have formal procedures for documenting, reviewing, testing, and approving changes and exceptions to systems and applications?
Explanation
Change management discipline is the focus here: whether formal procedures require changes and exceptions to systems and applications to be documented, reviewed, tested, and approved.
Without formal procedures, changes may be implemented inconsistently, potentially introducing security vulnerabilities or operational issues.A comprehensive change management procedure helps maintain system integrity, ensures changes are properly vetted, and creates accountability.
It also helps track modifications to systems over time, which is valuable for troubleshooting and compliance purposes.
Evidence could include a formal change management policy document, change request forms with approval workflows, documentation of testing procedures for changes, and records of past change requests showing the full approval cycle.
Implementation Example
Implement and follow procedures for the formal documentation, review, testing, and approval of proposed changes and requested exceptions
ID: ID.RA-07.169
Context
- Function
- ID: IDENTIFY
- Category
- ID.RA: Risk Assessment
- Sub-Category
- Changes and exceptions are managed, assessed for risk impact, recorded, and tracked
Related questions
- Does your organization implement vulnerability management tools to detect unpatched software and misconfigurations?
- Does your organization regularly conduct security architecture reviews to identify and remediate design and implementation weaknesses?
- Does your organization conduct security reviews, analysis, or testing of internally developed software to identify vulnerabilities in design, code, and default configurations?
- Has your organization conducted a comprehensive physical security assessment of all facilities housing critical computing assets within the past 12 months?
- Does your organization actively monitor cyber threat intelligence sources for information about new vulnerabilities in your products and services?
- Does your organization regularly conduct vulnerability assessments of business processes and procedures to identify potential cybersecurity weaknesses?

