Description:   

Tracking, reviewing, approving/disapproving, and logging changes is called configuration change control. Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled and unauthorized changes, and changes to remediate vulnerabilities.  Processes for managing configuration changes to systems include Configuration Control Boards or Change Advisory Boards that review and approve proposed changes to systems. For new development systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards or Change Advisory Boards. Audit logs of changes include activities before and after changes are made to organizational systems and the activities required to implement such changes.  [SP 800-28] provides guidance on configuration change control. 


Priority: High   


Category: Change Management 


Services Associated with AWS:   

  • AWS Config, AWS Systems Manager Change Manager
  • AWS Config, AWS Systems Manager Change Manager
  • AWS CloudTrail, AWS Config 


Objective Evidence:   

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate how IT Asset Management (ITAM) is implemented
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
  • Administrative: supporting documentation to demonstrate change management practices reviewed/approved the request(s)
  • Technical: screenshot of ITAM or CMDB console 


Possible Technology Considerations : 

  • Identity & Access Management (IAM)
  • Secure Baseline Configurations (SBC)
  • Configuration Management Database (CMDB)
  • IT Asset Management (ITAM)
  • Event Log Monitoring
  • Privileged Access Management (PAM)
  • Role Based Access Control (RBAC) 


What needs to be answered : 

Are changes to the system authorized by company management and documented? Are they audited afterwards? Are changes tracked by an approved IT service management system? 


  • Configuration Change Control Process
    Description: This check ensures that organizations have a configuration change control process in place to track, review, approve/disapprove, and log changes to organizational systems. The process includes proposing, justifying, implementing, testing, reviewing, and disposing of changes to systems, including upgrades, modifications, and vulnerability remediation. It involves the use of Configuration Control Boards or Change Advisory Boards to review and approve proposed changes, considering representatives from development organizations for new development systems or major upgrades. Audit logs are maintained to track and document the activities related to system changes.
  • Approval and Documentation of System Changes
    Description: This check verifies that system changes undergo a formal approval process and are properly documented. Changes to organizational systems should be reviewed and approved by designated authorities to ensure that they align with organizational policies, meet security requirements, and undergo necessary testing and validation. Documentation of approved changes helps maintain an audit trail and provides visibility into the changes made to the systems.
  • Logging of System Changes
    Description: This check focuses on the logging of system changes. Organizations should maintain audit logs that capture the activities before and after changes are made to organizational systems, as well as the activities involved in implementing those changes. Logging system changes provides visibility into the change history, assists in troubleshooting, and supports auditing and compliance requirements.
     


More Details:  

Changes to system must be reviewed by IT administrators prior to implementation.