Overview:
The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.
Action Items:
1) Create a change management policy and related procedures and publish to the company intranet for employees to access and review.
2) Inspect the change management policy to determine that policies and procedures are in place to guide personnel in change management procedures through the product lifecycle.
3) Inspect the change tracking system to determine that a change tracking system is in place to centrally document, manage, and monitor changes from change requests through implementation.
4) Inspect the change tickets for a sample of changes implemented during the review period to determine that changes made to any in-scope systems are authorized, tested, and approved prior to implementation for each change sampled.
5) Inspect a sample of changes implemented during the review period to determine that the change approval board, or equivalent, approved each change sampled prior to implementation.
6) Inspect the change tickets for a sample of changes implemented during the review period to determine that impact analysis and rollback plans are documented prior to implementation, based on the nature of the change, for each change sampled.
7) Inspect the version control software to determine that version control software is utilized to restrict access to application source code and provide rollback capabilities.
8) Inspect the version control software access listing to determine that write access to the version control software is restricted to user accounts accessible by authorized personnel.
9) Inspect the automatic deployment software configuration to determine that an automated deployment tool is configured to log application and system change events made to the production environment and alert IT personnel.
10) Inspect the deployment tool access list to determine that the ability to implement application changes via the automated deployment tool is restricted to user accounts accessible by authorized personnel, separate from development personnel.
11) Inspect a sample of changes implemented during the review period to determine that security personnel reviews production code commits on a daily basis to ensure the code commits to production satisfy the entity's security commitments.
12) Inspect the change management procedures to determine that an emergency change process is in place for changes required in urgent situations.
13) Inspect the file monitoring software configuration and dashboard to determine that FIM software is in place to monitor, detect, alert the information security team, and track the alert through resolution upon unauthorized software installation or configuration changes to certain production systems.
14) Inspect the user access listings to determine that the ability to modify the FIM software is restricted to authorized IT administrative personnel.
Related Documents:
1) Change management policy
2) Change tracking system configurations
3) Change tickets for a sample of changes
4) Version control software configurations
5) Version control software access listing
6) Automatic deployment software configurations
7) Automatic deployment software tool access listing
8) File integrity monitoring software configurations
9) User access list for personnel who have administrative access to FIM software
Additional Guidance:
The following points of focus highlight important characteristics related to this criterion:
1) Manages Changes Throughout the System Lifecycle—A process for managing system changes throughout the lifecycle of the system and its components (infrastructure, data, software and procedures) is used to support system availability and processing integrity.
2) Authorizes Changes—A process is in place to authorize system changes prior to development.
3) Designs and Develops Changes—A process is in place to design and develop system changes.
4) Documents Changes—A process is in place to document system changes to support ongoing maintenance of the system and to support system users in performing their responsibilities.
5) Tracks System Changes—A process is in place to track system changes prior to implementation.
6) Configures Software—A process is in place to select and implement the configuration parameters used to control the functionality of software.
7) Tests System Changes—A process is in place to test system changes prior to implementation.
8) Approves System Changes—A process is in place to approve system changes prior to implementation.
9) Deploys System Changes—A process is in place to implement system changes.
10) Identifies and Evaluates System Changes—Objectives affected by system changes are identified, and the ability of the modified system to meet the objectives is evaluated throughout the system development life cycle.
11) Identifies Changes in Infrastructure, Data, Software, and Procedures Required to Remediate Incidents—Changes in infrastructure, data, software, and procedures required to remediate incidents to continue to meet objectives are identified, and the change process is initiated upon identification.
12) Creates Baseline Configuration of IT Technology—A baseline configuration of IT and control systems is created and maintained.
13) Provides for Changes Necessary in Emergency Situations —A process is in place for authorizing, designing, testing, approving and implementing changes necessary in emergency situations (that is, changes that need to be implemented in an urgent timeframe).
14) Protects Confidential Information—The entity protects confidential information during system design, development, testing, implementation, and change processes to meet the entity's objectives related to confidentiality.
15) Protects Personal Information—The entity protects personal information during system design, development, testing, implementation, and change processes to meet the entity's objectives related to privacy.
Article ID: 246
Created: September 26, 2022
Last Updated: September 26, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/soc-2-change-management-for-infrastructure-data-software-and-procedures-cc8-1-246.html