Level 2


Description:

Tracking, reviewing, approving/disapproving, and logging changes is called configuration change control. Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled and unauthorized changes, and changes to remediate vulnerabilities.  Processes for managing configuration changes to systems include Configuration Control Boards or Change Advisory Boards that review and approve proposed changes to systems. For new development systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards or Change Advisory Boards. Audit logs of changes include activities before and after changes are made to organizational systems and the activities required to implement such changes.  [SP 800-28] provides guidance on configuration change control. 


Priority: High 


Domain: CONFIGURATION MANAGEMENT (CM) 


Services Associated with AWS: 

  • AWS Config, AWS Systems Manager Change Manager
  • AWS Config, AWS Systems Manager Change Manager
  • AWS CloudTrail, AWS Config 


Services Associated with Azure:

  • Azure DevOps
  • Azure Automation
  • Azure Monitor
  • Azure Policy
  • Azure Resource Manager (ARM)
  • Azure Sentinel
  • Azure Active Directory (Azure AD)
  • Azure Security Center
  • Azure Logic Apps
  • Azure Governance


Objective Evidence: 

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate how IT Asset Management (ITAM) is implemented
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
  • Administrative: supporting documentation to demonstrate change management practices reviewed/approved the request(s)
  • Technical: screenshot of ITAM or CMDB console 


Possible Technology Considerations:

  • Identity & Access Management (IAM)
  • Secure Baseline Configurations (SBC)
  • Configuration Management Database (CMDB)
  • IT Asset Management (ITAM)
  • Event Log Monitoring
  • Privileged Access Management (PAM)
  • Role Based Access Control (RBAC) 


What needs to be answered:

Are changes to the system authorized by company management and documented? Are they audited afterwards? Are changes tracked by an approved IT service management system?  


Checks for AWS

  • Configuration Change Control Process
    Description: This check ensures that organizations have a configuration change control process in place to track, review, approve/disapprove, and log changes to organizational systems. The process includes proposing, justifying, implementing, testing, reviewing, and disposing of changes to systems, including upgrades, modifications, and vulnerability remediation. It involves the use of Configuration Control Boards or Change Advisory Boards to review and approve proposed changes, considering representatives from development organizations for new development systems or major upgrades. Audit logs are maintained to track and document the activities related to system changes.
  • Approval and Documentation of System Changes
    Description: This check verifies that system changes undergo a formal approval process and are properly documented. Changes to organizational systems should be reviewed and approved by designated authorities to ensure that they align with organizational policies, meet security requirements, and undergo necessary testing and validation. Documentation of approved changes helps maintain an audit trail and provides visibility into the changes made to the systems.
  • Logging of System Changes
    Description: This check focuses on the logging of system changes. Organizations should maintain audit logs that capture the activities before and after changes are made to organizational systems, as well as the activities involved in implementing those changes. Logging system changes provides visibility into the change history, assists in troubleshooting, and supports auditing and compliance requirements.
     


Checks for Azure

  • Implement Configuration Change Control Process
    Description: This check ensures that organizations have implemented a configuration change control process to track, review, approve/disapprove, and log changes to Azure systems. The process includes proposing, justifying, implementing, testing, reviewing, and disposing of changes to Azure resources. It may involve the use of Configuration Control Boards or Change Advisory Boards to review and approve proposed changes. The process ensures that changes are authorized by company management, documented, and audited afterwards.
  • Approval and Documentation of Azure System Changes
    Description: This check verifies that changes to Azure systems undergo a formal approval process and are properly documented. Changes should be reviewed and approved by designated authorities to ensure they align with organizational policies, meet security requirements, and undergo necessary testing and validation. Documentation of approved changes helps maintain an audit trail and provides visibility into the changes made to Azure systems.
  • Logging of Azure System Changes
    Description: This check focuses on the logging of Azure system changes. Organizations should maintain audit logs that capture the activities before and after changes are made to Azure systems, as well as the activities involved in implementing those changes. Logging system changes provides visibility into the change history, assists in troubleshooting, and supports auditing and compliance requirements.
  • Utilize Approved IT Service Management System for Tracking System Changes
    Description: This check ensures that organizations track system changes using an approved IT service management system. An IT service management system, such as Azure DevOps or other approved tools, should be used to track and manage system changes. By utilizing an approved system, organizations can effectively track, document, and manage the entire lifecycle of system changes, ensuring transparency, accountability, and compliance with change management practices.


More Details: Changes to system must be reviewed by IT administrators prior to implementation.