Sidebar
Table of Contents
Governing Policy
Questions?
Please use the contact section in the governing policy.
Objective
To control and manage the changes to IT resources. Changes include but are not limited to security patching, configuration changes, firewall rule changes, system and application upgrades, application deployment and maintenance, software/application development and maintenance, critical infrastructure changes (e.g., storage, networking, networked life safety, and power management systems).
Security Controls
Change Control Requirements
The following table identifies baseline security requirements for a change control process for normal changes, emergency changes, pre-approved changes, etc.
Control | Security Level | |||
---|---|---|---|---|
ID | Description | High | Medium | Low |
CM.A.01 | Periodically review, and follow a change control process | Required | Required Effective July 2019 |
Recommended |
CM.A.02 | Establish segregation of duties for implementation and approval of changes | Required | Recommended | Optional |
CM.A.03 | Define and document procedures for transfer of software from non-production and production environments | Required | Required Effective July 2019 |
Recommended |
CM.A.04 | Communicate changes to appropriate audiences | Required | Recommended | Optional |
CM.A.05 | Track/log changes to IT resources | Required | Required Effective July 2019 |
Recommended |
Change Control Documentation
The following table identifies baseline security requirements for documenting a change request.
Control | Security Level | |||
---|---|---|---|---|
ID | Description | High | Medium | Low |
CM.B.01 | Define and document approval and escalation criteria for change requests | Required | Recommended | Optional |
CM.B.02 | Develop and document rollback procedures to reverse and recover from unsuccessful changes | Required | Recommended | Optional |
CM.B.03 | Assess and document the potential impact of changes to the confidentiality, integrity and availability of University information or service prior to implementation of the change request | Required | Recommended | Optional |
CM.B.04 | Test changes that are high impact prior to implementation of the change request | Required Effective July 2019 |
Recommended | Recommended |
CM.B.05 | Verify that information security requirements continue to be met by the change1 | Required Effective July 2019 |
Required Effective July 2019 |
Recommended |
CM.B.06 | Update applicable documentation (e.g., architecture diagrams, data flow diagrams, procedures) upon completion of a change | Required Effective July 2019 |
Recommended | Optional |
CM.B.07 | Document the decision to approve or deny and the success or roll-back/failure of the implementation of the change request | Required | Required Effective July 2019 |
Optional |
1PCI DSS requires all changes are tested for compliance with PCI DSS requirements for systems that store, process, or transmit cardholder data, or support the credit card processing environment
Resources Covered
This standard applies to IT resources owned or contracted by the University.
Individuals Covered
This standard applies to University community members who use or manage University IT resources.
Related Information
- More information on Change Management
- How to use the information security standards
- See the Information Security policy appendices for additional information security standards that also apply to change management.
Published Date
November 2014
Last Reviewed
April 2019