CM-04 Monitoring Configuration Changes

Control: The organization monitors changes to the information system conducting security impact analyses to determine the effects of the changes.

Supplemental Guidance: Prior to change implementation, and as part of the change approval process, the organization analyzes changes to the information system for potential security impacts. After the information system is changed (including upgrades and modifications), the organization checks the security features to verify that the features are still functioning properly. The organization audits activities associated with configuration changes to the information system. Monitoring configuration changes and conducting security impact analyses are important elements with regard to the ongoing assessment of security controls in the information system. Related security control: CA-7.

Control Enhancements: (0) None.

Baseline: LOW Not Selected MOD CM-4 HIGH CM-4

Family: Configuration Management

Class: Operational

ISO 17799 mapping: 10.1.2

COBIT 4.1 mapping: DS5.5, DS9.3

PCI-DSS v2 mapping: 11.5