12.5.3 Restrictions on Changes to Software Packages

Illustrative Controls and TIBCO LogLogic Solution

Managing changes addresses how an organization modifies system functionality to help the business meet its ISO requirements. Deficiencies in this area may significantly impact reporting. For example, changes to the programs that allocate payment data require appropriate approvals and testing before the change to ensure classification and reporting integrity. Businesses must ensure that requests for program changes, system changes, and maintenance (including changes to system software) are standardized, documented, and subject to formal change management procedures.

To fulfil this requirement, administrators must review all changes to the production environment and compare the changes to documented approvals to ensure that the approval process is followed. From the archived audit log data, obtain a sample of regular and emergency changes made to applications or systems to determine whether they were adequately tested and approved before being placed into a production environment. Trace the sample of changes back to the change request log and supporting documentation.

Reports and Alerts

Use the following link/reference to see the 12.5.3 reports and alerts: TIBCO LogLogic Reports and Alerts Quick Reference.