CCI-004797
CCI-004797 Definition
| Status | |
| Type | CheckType.policy |
Master Assessment Datasheet
Implementation Guidance
Determine if: - [SA-10(07)_ODP[01]; security representatives to be included in the configuration change management and control process are defined] are required to be included in the [SA-10(07)_ODP[03]; configuration change management and control processes in which security representatives are required to be included are defined]. - [SA-10(07)_ODP[02]; privacy representatives to be included in the configuration change management and control process are defined] are required to be included in the [SA-10(07)_ODP[04]; configuration change management and control processes in which privacy representatives are required to be included are defined].
Validation Procedures
Examine: [SELECT FROM: System and services acquisition policy; system and services acquisition procedures; configuration management policy; configuration management plan; solicitation documentation requiring representatives for security and privacy; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; system developer configuration management plan; change control records; configuration management records; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security and privacy responsibilities; organizational personnel with configuration management responsibilities; system developers].