In systematic cyber security work, the impact of significant changes must be assessed in advance and they must be executed in a controlled way. The consequences of unintentional changes must be assessed and efforts made to mitigate possible adverse effects.
Significant changes may include: changes in the organization, operating environment, business processes and data systems. Changes can be identified e.g. through management reviews and other cyber security work.
Inadequate change management is a common cause of incidents for digital services.
An organization shall document the change management process that must be followed whenever significant changes are made to developed digital services or other computing services that affect cyber security. The process includes requirements e.g. for the following:
Unmanaged installations of software on computers can lead to vulnerabilities and security breaches.
The organization should determine what types of software or updates each user can install. The instructions may include e.g. the following guidelines:
Once a vulnerability is identified, suppliers often have significant pressure to release patches as soon as possible. Therefore, the patch may not adequately address the issue and may have harmful side effects.
In evaluating patches, e.g. the following things should be taken into account: