CHG-04: Access Restriction For Change

There is no evidence of a capability to enforce configuration restrictions in an effort to restrict the ability of users to conduct unauthorized changes.

Change Management (CHG) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Govern changes to systems, applications and services to ensure their stability, reliability and predictability. o Notify stakeholders about proposed changes.

• IT personnel use an informal process to:
• Logical Access Control (LAC) limits the ability of non-administrators from making unauthorized configuration changes to systems, applications and services.
• Requests for Change (RFC) are submitted to IT personnel.
• prior to changes being made, RFCs are informally reviewed for cybersecurity and data privacy ramifications.
• Whenever possible, IT personnel test changes to business-critical systems/services/applications on a similarly configured IT environment as that of Production, prior to widespread production release of the change.

Change Management (CHG) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:

• Change management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
• IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for change management.
• Changes are tracked through a centralized technology solution to submit, review, approve and assign Requests for Change (RFC).
• A Change Advisory Board (CAB), or similar function, exists to govern changes to systems, applications and services to ensure their stability, reliability and predictability.
• A CAB, or similar function, reviews RFCs for cybersecurity and data privacy ramifications.
• A CAB, or similar function, notifies stakeholders to ensure awareness of the impact of proposed changes.
• Logical Access Control (LAC) limits the ability of non-administrators from making unauthorized configuration changes to systems, applications and services.
• Cybersecurity controls are tested after a change is implemented to ensure cybersecurity controls are operating properly.

Change Management (CHG) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Exists to govern changes to systems, applications and services to ensure their stability, reliability and predictability. o Reviews RFC for cybersecurity and data privacy ramifications. o Notifies stakeholders to ensure awareness of the impact of proposed changes.

• An IT Asset Management (ITAM) function, or similar function, ensures compliance with requirements for asset management.
• ITAM leverages a Configuration Management Database (CMDB), or similar tool, as the authoritative source of IT assets.
• Logical Access Control (LAC) is governed to limit the ability of non-administrators from making configuration changes to systems, applications and services.
• A formal Change Management (CM) program ensures that no unauthorized changes are made, that all changes are documented, that services are not disrupted and that resources are used efficiently.
• The CM function has formally defined roles and associated responsibilities.
• Changes are tracked through a centralized technology solution to submit, review, approve and assign Requests for Change (RFC).
• A Change Advisory Board (CAB), or similar function:
• IT personnel use dedicated development/test/staging environments to deploy and evaluate changes, wherever technically possible.

Change Management (CHG) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

• Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
• Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
• Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
• Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
• Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
• Both business and technical stakeholders are involved in reviewing and approving proposed changes.

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to enforce configuration restrictions in an effort to restrict the ability of users to conduct unauthorized changes.