Title

A change management policy must be implemented for application development. (Cat II impact)

Discussion

Change management is the formal review process that ensures that all changes made to a system or application receives formal review and approval. Change management reduces impacts from proposed changes that could possibly have interruptions to the services provided. Recording all changes for applications will be accomplished by a configuration management policy. The configuration management policy will capture the actual changes to software code and anything else affected by the change.

Check Content

Interview the ISSM/ISSO to determine whether a current Change Control Management policy has been implemented in the organization. If a change management policy has not been created and implemented for the organization, this is a finding. If there isn't any application development occurring in the zone environment, this requirement is not applicable.

Fix Text

Create a change management policy for the organization for application and system development.

Additional Identifiers

Rule ID: SV-51299r1_rule

Vulnerability ID: V-39441

Group Title: ENTD0110 - A change management policy is not implemented.

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.