Change Control and Configuration Management

A key component of the Information Security Program are change control and configuration management policies.

CCC Control Domains

CCC-01: New Development / Acquisition - System and Service Acquisition Policy

  • CCC-01.1: Are policies and procedures established for management authorization for development or acquisition of new applications, systems, databases, infrastructure, services, operations and facilities?


Policy to be referenced here is INSERT
*Action item: INSERT

CCC-02: Outsourced Development -

  • CCC-02.1: Are policies and procedures for change management, release, and testing adequately communicated to external business partners?


Policy to be referenced here is INSERT
*Action item: INSERT

  • CCC-02.2: Are policies and procedures adequately enforced to ensure external business partners comply with change management requirements?


Policy to be referenced here is INSERT
*Action item: INSERT

CCC-03: Management Quality Testing - Change Management Policy, Configuration Management Policy, Development Methodology Policy, Patch Management Policy

  • CCC-03.1: Do you have a defined quality change control and testing process in place based on system availability, confidentiality, and integrity?


Policy to be referenced here is INSERT
*Action item: INSERT

  • CCC-03.2: Is documentation describing known issues with certain products/services available?


Policy to be referenced here is INSERT
*Action item: INSERT

  • CCC-03.3: Are there policies and procedures in place to triage and remedy reported bugs and security vulnerabilities for product and service offerings?


Policy to be referenced here is INSERT
*Action item: INSERT

  • CCC-03.4: Do you have controls in place to ensure that standards of quality are being met for all software development?


Policy to be referenced here is INSERT
*Action item: INSERT

  • CCC-03.5: Do you have controls in place to detect source code security defects for any outsourced software development activities?


Policy to be referenced here is INSERT
*Action item: INSERT

  • CCC-03.6: Are mechanisms in place to ensure that all debugging and test code elements are removed from released software versions?


Policy to be referenced here is INSERT
*Action item: INSERT

CCC-04: Unauthorized Software Installations -

  • CCC-04.1: Do you have controls in place to restrict and monitor the installation of unauthorized software onto your systems?


Policy to be referenced here is INSERT
*Action item: INSERT

CCC-05: Production Changes - Change Management Policy

  • CCC-05.1: Do you provide tenants with documentation that describes your production change management procedures and their roles/rights/responsibilities within it?


Policy to be referenced here is INSERT
*Action item: INSERT

  • CCC-05.2: Do you have policies and procedures established for managing risks with respect to change management in production environments?


Policy to be referenced here is INSERT
*Action item: INSERT

  • CCC-05.3: Do you have technical measures in place to ensure that changes in production environments are registered, authorized and in adherence with existing SLAs?


Policy to be referenced here is INSERT
*Action item: INSERT

Related Documents

  • None