| Control | Status | |
|---|---|---|
| Change Management Program | Mechanisms exist to facilitate the implementation of a change management program. | |
| Configuration Change Control | Mechanisms exist to govern the technical configuration change control processes. | |
| Prohibition Of Changes | Mechanisms exist to prohibit unauthorized changes, unless organization-approved change requests are received. | |
| Test, Validate & Document Changes | Mechanisms exist to appropriately test and document proposed changes in a non-production environment before changes are implemented in a production environment. | |
| Cybersecurity & Data Privacy Representative for Asset Lifecycle Changes | Mechanisms exist to include a cybersecurity and/or data privacy representative in the configuration change control review process. | |
| Security Impact Analysis for Changes | Mechanisms exist to analyze proposed changes for potential security impacts, prior to the implementation of the change. | |
| Access Restriction For Change | Mechanisms exist to enforce configuration restrictions in an effort to restrict the ability of users to conduct unauthorized changes. | |
| Automated Access Enforcement / Auditing | Mechanisms exist to perform after-the-fact reviews of configuration change logs to discover any unauthorized changes. | |
| Permissions To Implement Changes | Mechanisms exist to limit operational privileges for implementing changes. | |
| Stakeholder Notification of Changes | Mechanisms exist to ensure stakeholders are made aware of and understand the impact of proposed changes. |