+DEV-03 Policies for Changes to System Components
---+DEV-03.01B
|
1. Übersicht
DEV-03 Policies for Changes to System Components
-
| Bezeichnung |
Standard |
|
DEV-03.01B
|
Policies and procedures with procedures and technical safeguards for change management of system components of the cloud service are documented, communicated and provided according to SP-01 with regard to the following aspects:
1. Criteria for risk assessment, categorisation and prioritisation of changes and related requirements for the type and scope of testing to be performed, and necessary approvals for the development/implementation of the change and releases for deployment in the production environment by authorised personnel or system components;
2. Requirements for the performance and documentation of tests;
3. Requirements for segregation of duties during development, testing and release of changes;
4. Requirements for the proper information of cloud service customers about the type and scope of the change as well as the resulting obligations to cooperate in accordance with the contractual agreements;
5. Requirements for the documentation of changes in system, operational and user documentation;
6. Requirements for the implementation and documentation of emergency changes such that - as far as reasonably possible - they comply with the same level of security as normal changes;
7. Requirements for the handling of unexpected effects of those changes, including corrective actions;
8. Requirements for the increased testing for the development of security features that implement technical mechanisms and safeguards; and
9. Requirements for managing exceptions, including emergency changes, to ensure related risks are appropriately mitigated.
Changes in the sense of the basic criterion are those that can lead to changes in the configuration, functionality or security of system components of the cloud service in the production environment. This includes changes to the infrastructure as well as to the source code.
If individual changes are combined in a new release, update, patch or comparable software object for the purpose of software provisioning, this software object is deemed to be a change within the meaning of the basic criterion, but not the individual changes contained therein.
Changes to the existing network configuration also fall under this criterion and should also undergo a specified procedure, as they are necessary for effective separation of cloud service customers.
Changes to the container environments, including the management of container images and versions, should also go through a regulated process.
Personnel and system components receive authorisation to approve changes in accordance with the requirements for access and access authorisations (cf. IAM-01) via a specified procedure (cf. IAM-02). Relevant information includes descriptions of e.g. new functions.
The cloud service customer's obligations to cooperate can define that, e.g. the cloud service customer has to carry out certain tests.
A centralised change management process is not mandatory. The cloud service provider has the flexibility to adopt change management practices that best fit its operational needs, including agile methods, as long as they adhere to the procedures and technical safeguards.
|
1.1 Referenzen
1.2 Identifizierte Anforderungen
1.2 Related Regulation
2. Identifizierte Anforderungen
Anforderungen
| Source |
Anforderung |
3. Related Regulations
Regulations
| Source |
Regulierung |
|