CM-05 Access Restrictions For Change

Control: The organization: (i) approves individual access privileges and enforces physical and logical access restrictions associated with changes to the information system; and (ii) generates, retains, and reviews records reflecting all such changes.

Supplemental Guidance: Planned or unplanned changes to the hardware, software, and/or firmware components of the information system can have significant effects on the overall security of the system. Accordingly, only qualified and authorized individuals obtain access to information system components for purposes of initiating changes, including upgrades, and modifications.

Control Enhancements: (1) The organization employs automated mechanisms to enforce access restrictions and support auditing of the enforcement actions.

Baseline: LOW Not Selected MOD CM-5 HIGH CM-5 (1)

Family: Configuration Management

Class: Operational

ISO 17799 mapping: 11.6.1

COBIT 4.1 mapping: None.

PCI-DSS v2 mapping: 2.2