Article 45 – Information Security
49020.11.6.1 Change Control Procedures
-
Formal change control procedures shall be documented and enforced in order to minimize the corruption of information systems. Introduction of new systems and all changes that could possibly have an impact on the users or system availability shall follow a formal process of documentation, specification, testing, quality control, and managed implementation.
-
This process shall include an analysis of the impacts of changes, and specification of security controls needed. This process shall also ensure that existing security and control procedures are not compromised, that support programmers are given access only to those parts of the system necessary to perform or complete their work, and that formal agreement and approval for any change is obtained.
-
The following operational change control procedures shall be integrated:
-
Maintain a record of the agreed authorization levels;
-
Ensure changes are submitted by authorization users and have management approval;
-
Review controls and integrity procedures to ensure that nothing will not be compromised by the changes;
-
Identify all software, information, database entities, and hardware that require amendment;
-
Obtain form approval from the Change Control Board before work commences;
-
Ensure system documentation is updated on the completion of the change and that old documentation is archived or disposed of;
-
Maintain version control for all software updates;
-
Maintain an audit trail of change requests;
-
Ensure that operating documentation and user procedures are changed as necessary to remain appropriate;
-
Ensure that the implementation of changes take place at the right time and does not have a significant impact to the business involved.
-