SA-10 Developer Configuration Management
Control: The system developer create and implement a configuration management plan that controls changes to the system during development, tracks security flaws, requires the authorization of changes, and provides documentation of the plan and its implementation. Requesting, establishing, issuing, suspending, modifying and closing user accounts and related user privileges are addressed by user account management.
Illustrative Controls and TIBCO LogLogic Solution
Managing changes addresses how an organization modifies system functionality to help the business meet its reporting objectives. Deficiencies in this area might significantly impact reporting. For example, changes to the programs that allocate data to accounts require appropriate approvals and testing before the change to ensure classification and reporting integrity. Businesses must ensure that requests for program changes, system changes, and maintenance (including changes to system software) are standardized, documented, and subject to formal change management procedures.
Activity logs provide numerous ways to monitor system change activity to determine if change management procedures are correctly implemented and being followed under requirements 10.1.2(a), (b) and (c). Auditors review specific change management policies and then attempt to validate that they are followed by checking documentation or email trails. They use logs as a final validation to determine that the changes indicated in the documentation were actually implemented in the manner and at the time prescribed. Specifically, administrators should:
- Have reports that identify all changes to firewall and router configurations and ensure that all changes are authorized. The most efficient way to identify configuration changes is at the time of the modification. Administrators should setup alerts so that any changes to the configuration, authorized or otherwise, are detected and notified.
- Have reporting that periodically reviews all firewall rules to ensure accurate access control lists.
- Have reports that review network traffic correlated with the firewall policy to ensure appropriate rules are used to protect the company.
- Have reports that monitor all changes to the production environment and compare the changes to documented approvals utilizing alerts and reports on policy modifications, groups activities, escalated privilege activities, permissions changed.
- Ensure that only authorized software is permitted for use by employees using company IT assets.
- Validate that application software and data storage systems are properly configured to provide access based on the individual’s demonstrated need to view, add, change or delete data.
To satisfy this control objective, administrators must review all changes to the production environment and compare the changes to documented approvals to ensure the approval process is followed. From the archived audit log data, obtain a sample of regular and emergency changes made to applications or systems to determine whether they were adequately tested and approved before being placed into a production environment.
Trace the sample of changes back to the change request log and supporting documentation. Administrators must set up formal change management procedures to handle in a standardized manner all requests (including maintenance and patches) for changes to applications, procedures, processes, system and service parameters, and the underlying platforms. Configuration management ensures that security, availability, and processing integrity controls are set up in the system and maintained through its life cycle. Insufficient configuration controls can lead to security and availability exposures that might permit unauthorized access to systems and data and impact reporting.