Requirement:
The cybersecurity requirements in project and assets (information/technology) change management must include at least the following:
Sub-Controls:
1-6-2-1:
Requirement:
Vulnerability assessment and remediation.
Control Implementation Guidelines:
- Define and document the requirements of this control in the cybersecurity requirements document and approve them by the representative
- Define systems, services, and technology components subject to Vulnerabilities Assessment within the scope of technical projects and change requests
- Develop and adopt procedures for the implementation of Vulnerabilities Assessment and remediation in accordance with related laws and regulations
- Conduct Vulnerabilities Assessment before launching technical projects in the production environment and assess it in a timely manner and address it effectively
- Conduct Vulnerabilities Assessment before the implementation of changes to the production environment and assess it in a timely manner and address it effectively
Expected Deliverables:
- A document (such as approved policy or procedure) indicating the identification and documentation of the requirements related to this control
- A report that outlines the assessment and remediation of cybersecurity vulnerabilities throughout the technical project lifecycle and changes to information and technology assets
1-6-2-2:
Requirement:
Conducting a configurations review, secure configuration and hardening and patching before changes or going live for technology projects.
Control Implementation Guidelines:
- Define systems, services, and technology components subject to Secure Configuration and Hardening review within the scope of technical projects and change requests
- Provide technical Security Standard controls for systems, services, and technology components subject to Secure Configuration and Hardening review
- Develop and adopt procedures for the implementation of Secure Configuration and Hardening review in accordance with the relevant laws and regulations
- Review secure Configuration and Hardening and Patching before launching technology projects in the production environment
- Review secure Configuration and Hardening and Patching before implementing changes to the production environment
Expected Deliverables:
- A document (such as approved policy or procedure) indicating the identification and documentation of the requirements related to this control
- Technical Security Standard controls for systems, services, and technology components subject to Secure Configuration and Hardening review
- A report that outlines the assessment and review of Secure Configuration and Hardening throughout the technical project lifecycle and changes to information and technology assets in the organization before launching projects and implementing changes
Quick & Simple
Discover Our Cybersecurity Compliance Solutions:
Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you
CMMC Level 1 Compliance
Become compliant, provide compliance services, or verify partner compliance with CMMC Level 1 Basic Safeguarding of Covered Contractor Information Systems requirements.
NIST SP 800-171 & CMMC Level 2 Compliance
Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC Level 2 requirements.
HIPAA Compliance
Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
ISO 27001 Compliance
Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.
FAR 52.204-21 Compliance
Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.