Description
The organization: (i) approves individual access privileges and enforces physical and logical access restrictions associated with changes to the information system; and (ii) generates, retains, and reviews records reflecting all such changes.\n
Supplemental Guidance
Planned or unplanned changes to the hardware, software, and/or firmware components of the information system can have significant effects on the overall security of the system. Accordingly, only qualified and authorized individuals obtain access to information system components for purposes of initiating changes, including upgrades, and modifications.\n
Enhancements
(1) The organization employs automated mechanisms to enforce access restrictions and support auditing of the enforcement actions.\n
Compliance Mappings
ISO 27002:2022
8.19
NIST CSF 2.0
ID.RA-07
SOC 2 TSC
CC8.1-POF2CC8.1-POF9
ISO 17799 (legacy)
11.6.1
COBIT 4.1 (legacy)
None.