CHG-04.1: Automated Access Enforcement / Auditing
Mechanisms exist to perform after-the-fact reviews of configuration change logs to discover any unauthorized changes.
Control Question: Does the organization perform after-the-fact reviews of configuration change logs to discover any unauthorized changes?
General (15)
| Framework | Mapping Values |
|---|---|
| AICPA TSC 2017:2022 (used for SOC 2) (source) | CC8.1-POF10 CC8.1-POF11 |
| CSA CCM 4 | CCC-04 CCC-09 |
| GovRAMP Core | CM-05(01) |
| GovRAMP Moderate | CM-05(01) |
| GovRAMP High | CM-05(01) |
| IEC 62443-4-2 2019 | CR 3.4 (7.6.3(2)) |
| NIST 800-53 R4 | CM-5(1) |
| NIST 800-53 R4 (high) | CM-5(1) |
| NIST 800-53 R5 (source) | CM-5(1) |
| NIST 800-53B R5 (high) (source) | CM-5(1) |
| NIST 800-82 R3 HIGH OT Overlay | CM-5(1) |
| NIST 800-161 R1 | CM-5(1) |
| NIST 800-161 R1 Level 3 | CM-5(1) |
| SCF CORE ESP Level 2 Critical Infrastructure | CHG-04.1 |
| SCF CORE ESP Level 3 Advanced Threats | CHG-04.1 |
US (10)
| Framework | Mapping Values |
|---|---|
| US CMS MARS-E 2.0 | CM-5(1) |
| US DoD Zero Trust Reference Architecture 2.0 | 2.2.2 |
| US DHS CISA TIC 3.0 | 3.UNI.CMANA |
| US FedRAMP R4 | CM-5(1) |
| US FedRAMP R4 (moderate) | CM-5(1) |
| US FedRAMP R4 (high) | CM-5(1) |
| US FedRAMP R5 (source) | CM-5(1) |
| US FedRAMP R5 (moderate) (source) | CM-5(1) |
| US FedRAMP R5 (high) (source) | CM-5(1) |
| US - TX TX-RAMP Level 2 | CM-5(1) |
EMEA (1)
| Framework | Mapping Values |
|---|---|
| EMEA Saudi Arabia OTCC-1 2022 | 1-5-4 |
Americas (1)
| Framework | Mapping Values |
|---|---|
| Americas Canada CSAG | 6.11 |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to perform after-the-fact reviews of configuration change logs to discover any unauthorized changes.
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to perform after-the-fact reviews of configuration change logs to discover any unauthorized changes.
Level 2 — Planned & Tracked
C|P-CMM2 is N/A, since a well-defined process is required to perform after-the-fact reviews of configuration change logs to discover any unauthorized changes.
Level 3 — Well Defined
Change Management (CHG) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Exists to govern changes to systems, applications and services to ensure their stability, reliability and predictability. o Reviews RFC for cybersecurity and data privacy ramifications. o Notifies stakeholders to ensure awareness of the impact of proposed changes.
- An IT Asset Management (ITAM) function, or similar function, ensures compliance with requirements for asset management.
- ITAM leverages a Configuration Management Database (CMDB), or similar tool, as the authoritative source of IT assets.
- Logical Access Control (LAC) is governed to limit the ability of non-administrators from making configuration changes to systems, applications and services.
- A formal Change Management (CM) program ensures that no unauthorized changes are made, that all changes are documented, that services are not disrupted and that resources are used efficiently.
- The CM function has formally defined roles and associated responsibilities.
- Changes are tracked through a centralized technology solution to submit, review, approve and assign Requests for Change (RFC).
- A Change Advisory Board (CAB), or similar function:
- IT personnel use dedicated development/test/staging environments to deploy and evaluate changes, wherever technically possible.
Level 4 — Quantitatively Controlled
Change Management (CHG) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
- Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
- Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
- Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
- Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
- Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to perform after-the-fact reviews of configuration change logs to discover any unauthorized changes.
Assessment Objectives
- CHG-04.1_A01 mechanisms used to automate the enforcement of access restrictions are defined.
- CHG-04.1_A02 access restrictions for change are enforced using organization-defined automated mechanisms.
- CHG-04.1_A03 audit records of enforcement actions are automatically generated.
Technology Recommendations
Micro/Small
- Configuration Management Database (CMDB)
Small
- Configuration Management Database (CMDB)
Medium
- Configuration Management Database (CMDB)
- CimTrak Integrity Suite (https://cimcor.com/cimtrak)
Large
- Configuration Management Database (CMDB)
- CimTrak Integrity Suite (https://cimcor.com/cimtrak)
Enterprise
- Configuration Management Database (CMDB)
- CimTrak Integrity Suite (https://cimcor.com/cimtrak)