Operations handle emergency situations that require a change to the production environment consistently.
The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system.
Access control restrictions for the purposes of change are defined.
No statewide control
Obtain configuration management policy; procedures addressing access restrictions for changes to the information system; information system architecture and configuration documentation; change control records; information system audit records; other relevant documents or records and ascertain if :
(I)the organization approves individual access privileges and enforces physical and logical access restrictions associated with changes to the information system, including upgrades, and modifications.
(ii)the organization generates, retains, and reviews records reflecting all such changes to the information system.
