All security-related information resources changes shall be approved by the information resource owner through a formal change management process. In cases where changes will effect mission-critical, confidential, or enterprise-wide information resources, the chief information security officer shall review and approve proposed changes as part of the change advisory board review.
Effects from changes to systems or applications are undetected in the production environment.
The organization analyzes changes to the information system to determine potential security impacts prior to change implementation.
The organization considers and documents consideration of the potential impact to information security prior to the completion of a change.
• All security-related information resources changes shall be approved by the information owner through a change control process.
• Approval shall occur prior to implementation by the state organization or independent contractors.
Obtain configuration management policy; procedures addressing the monitoring of configuration changes to the information system; information system architecture and configuration documentation; change control records; information system audit records; other relevant documents or records and ascertain if :
(I)the organization monitors changes to the information system by verifying that the organization:
-prior to change implementation and as part of the change approval process, conducts security impact analyses to assess the effects of the system changes;
-after the system is changed (including upgrades and modifications), checks the security features to confirm that the features are still functioning properly; and
-audits activities associated with configuration changes to the information system.
