CCI-000344

Implementation Guidance

Determine if: - physical access restrictions associated with changes to the system are defined and documented. - physical access restrictions associated with changes to the system are approved. - physical access restrictions associated with changes to the system are enforced. - logical access restrictions associated with changes to the system are defined and documented. - logical access restrictions associated with changes to the system are approved. - logical access restrictions associated with changes to the system are enforced.

Validation Procedures

Examine: [SELECT FROM: Configuration management policy; procedures addressing access restrictions for changes to the system; configuration management plan; system design documentation; system architecture and configuration documentation; system configuration settings and associated documentation; logical access approvals; physical access approvals; access credentials; change control records; system audit records; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with logical access control responsibilities; organizational personnel with physical access control responsibilities; organizational personnel with information security responsibilities; system/network administrators]. Test: [SELECT FROM: Organizational processes for managing access restrictions to change; mechanisms supporting, implementing, or enforcing access restrictions associated with changes to the system].