CM-3 Configuration Change Control

Description

Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications.

Configuration change control includes

  1. changes to baseline configurations for components and configuration items of information systems,
  2. changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices),
  3. unscheduled/unauthorized changes, and
  4. changes to remediate vulnerabilities.

Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems.

For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards.

Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes.

Applicability

The information resource owner, or designee, is responsible for ensuring that the risk mitigation measures described in this Control are implemented.

The intended audience is information resource owners and custodians of University information resources that store or process mission critical and/or confidential information.

Implementation

TAMU-CC incorporates change management processes to ensure secure, reliable, and stable operations to which all offices that support information systems adhere. The change management process incorporates guidelines that address:

  1. Determines the types of changes to the information system that are configuration-controlled, formally identifying, classifying, prioritizing, and requesting changes;
  2. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses, formally identifying, classifying, prioritizing, and requesting changes;
  3. Documents configuration change decisions associated with the information system, identifying and deploying emergency changes;
  4. Implements approved configuration-controlled changes to the information system, authorizing changes and exceptions;
  5. Retains records of configuration-controlled changes to the information system for at least 365 days, testing changes;
  6. Audits and reviews activities associated with configuration-controlled changes to the information system, implementing changes and planning for back-outs, and
  7. Coordinates and provides oversight for configuration change control activities through University Technology Council (UTC) and weekly Change Advisory Board (CAB) that convenes, documenting and tracking changes.

Revision History

Last Updated: February 21, 2025

Previous Versions:

  • June 29, 2023
  • May 31, 2022
  • March 25, 2021
  • September 16, 2019

Chief Information Security and Privacy Officer

Submit a Ticket

News

See All News

Events

See All Events