Sub-Requirement 6.4

• 6.4.1 Documentation of impact
• 6.4.2 Management sign-off by appropriate parties
• 6.4.3 Testing of operational functionality
• 6.4.4 Back-out procedures

Illustrative Controls and TIBCO LogLogic Solution

Effective change management procedures address how an organization introduces change into the in-scope environment in an authorized, tested, and controlled fashion. Deficiencies in this area may significantly impact the confidentiality, integrity, and availability of cardholder data. Businesses must ensure that requests for program changes, system changes, and maintenance (including changes to system software) are standardized, documented, and subject to formal change management procedures.

To satisfy this requirement, administrators must review all changes to the production environment and compare the changes to documented approvals to ensure the approval process is followed. From the archived audit log data, obtain a sample of regular and emergency changes made to applications/systems to determine whether they were adequately tested and approved before being placed into a production environment. Trace the sample of changes back to the change request log and supporting documentation.

Reports and Alerts

Use the following link/reference to see the 6.4.1, 6.4.2, 6.4.3, 6.4.4 reports and alerts:6.4.1, 6.4.2, 6.4.3, and 6.4.4 on page 103.