CMA_C1198 - Assign information security representative to change control
Additional metadata
Name/Id: CMA_C1198 / CMA_C1198 Category: Operational Title: Assign information security representative to change control Ownership: Customer Description: The customer is responsible for assigning an information security representative to be a member of the change control element defined in CM-03.g. Requirements: The customer is responsible for implementing this recommendation.
Mode
All
Type
BuiltIn
Preview
False
Deprecated
False
Effect
Default Manual Allowed Manual, Disabled
RBAC role(s)
none
Rule aliases
none
Rule resource types
IF (1) Microsoft.Resources/subscriptions
Compliance
The following 4 compliance controls are associated with this Policy definition 'Assign information security representative to change control' (6abdf7c7-362b-3f35-099e-533ed50988f9)
The organization requires an information security representative to be a member of the [Assignment: organization-defined configuration change control element].
Supplemental Guidance: Information security representatives can include, for example, senior agency information security officers, information system security officers, or information system security managers. Representation by personnel with information security expertise is important because changes to information system configurations can have unintended side effects, some of which may be security-relevant. Detecting such changes early in the process can help avoid unintended, negative consequences that could ultimately affect the security state of organizational information systems. The configuration change control element in this control enhancement reflects the change control elements defined by organizations in CM-3.
Track, review, approve or disapprove, and log changes to organizational systems.
Shared
Microsoft and the customer share responsibilities for implementing this requirement.
Tracking, reviewing, approving/disapproving, and logging changes is called configuration change control. Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled and unauthorized changes, and changes to remediate vulnerabilities. Processes for managing configuration changes to systems include Configuration Control Boards or Change Advisory Boards that review and approve proposed changes to systems. For new development systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards or Change Advisory Boards. Audit logs of changes include activities before and after changes are made to organizational systems and the activities required to implement such changes. [SP 800-128] provides guidance on configuration change control.
The organization requires an information security representative to be a member of the [Assignment: organization-defined configuration change control element].
Supplemental Guidance: Information security representatives can include, for example, senior agency information security officers, information system security officers, or information system security managers. Representation by personnel with information security expertise is important because changes to information system configurations can have unintended side effects, some of which may be security-relevant. Detecting such changes early in the process can help avoid unintended, negative consequences that could ultimately affect the security state of organizational information systems. The configuration change control element in this control enhancement reflects the change control elements defined by organizations in CM-3.
Require [Assignment: organization-defined security and privacy representatives] to be members of the [Assignment: organization-defined configuration change control element].