Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.

By documenting who can deploy changes to your systems and when they can be deployed you protect the security of your systems. Only approved personnel are allowed to carry out approved changes at approved times. These personnel are granted the physical and logical access needed to carry out these changes.

Create a list of authorized personnel who may implement changes on your systems. Examples include documenting who is responsible for deploying software updates to workstations. Document their physical access restrictions (e.g., server room access) and logical access (e.g. which systems they are permitted to log into). You can use our system access authorizations document template to meet this requirement. Define the times and dates when changes to your system may be deployed. An example is restricting the deployment of software updates to Fridays after 6:00 PM.