Content library
Julkri: TL IV-I
TEK-17: Muutoshallintamenettelyt

How to fill the requirement

Julkri: TL IV-I

TEK-17: Muutoshallintamenettelyt

Task name
Priority
Status
Theme
Policy
Other requirements
Evaluation process and documentation of significant security-related changes
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
requirements

Task is fulfilling also these other security requirements

6.3: Planning of changes
ISO27k1 Full
8.1: Operational planning and control
ISO27k1 Full
12.1.2: Change management
ISO27 Full
6.5: Tietojärjestelmien asennus, ylläpito ja päivitys
Self-monitoring
PR.IP-3: Configuration change control processes
NIST
1. Task description

In systematic cyber security work, the impact of significant changes must be assessed in advance and they must be executed in a controlled way. The consequences of unintentional changes must be assessed and efforts made to mitigate possible adverse effects.

Significant changes may include: changes in the organization, operating environment, business processes and data systems. Changes can be identified e.g. through management reviews and other cyber security work.

Change management procedure for significant changes to data processing services
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Secure development
requirements

Task is fulfilling also these other security requirements

14.2.2: System change control procedures
ISO27 Full
14.2.4: Restrictions on changes to software packages
ISO27 Full
PR.DS-6: Integrity checking
NIST
TEK-17: Muutoshallintamenettelyt
Julkri
8.32: Change management
ISO27k1 Full
1. Task description

Inadequate change management is a common cause of incidents for digital services.

An organization shall document the change management process that must be followed whenever significant changes are made to developed digital services or other computing services that affect cyber security. The process includes requirements e.g. for the following:

  • Defining and documenting the change
  • Assessing the risks and defining the necessary control measures
  • Other impact assessment of the change
  • Testing and quality assurance
  • Managed implementation of the change
  • Updating a change log
Authorized users and rules for installing software and libraries
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Technical vulnerability management
requirements

Task is fulfilling also these other security requirements

12.6.2: Restrictions on software installation
ISO27 Full
SUM-02: Keeping licensed software up to date
Cyber Essentials
DE.CM-5: Unauthorized mobile code detection
NIST
TEK-17: Muutoshallintamenettelyt
Julkri
8.19: Installation of software on operational systems
ISO27k1 Full
1. Task description

Unmanaged installations of software on computers can lead to vulnerabilities and security breaches.

The organization should determine what types of software or updates each user can install. The instructions may include e.g. the following guidelines:

  • only specially designated persons may install new software on the devices
  • programs previously designated as secure may be installed by anyone
  • use of certain software may be impossible for everyone
  • existing software updates and security patches are allowed to be installed by anyone
Evaluating and testing patches before deployment
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Technical vulnerability management
requirements

Task is fulfilling also these other security requirements

12.6.1: Management of technical vulnerabilities
ISO27 Full
6.5: Tietojärjestelmien asennus, ylläpito ja päivitys
Self-monitoring
TEK-17: Muutoshallintamenettelyt
Julkri
8.8: Management of technical vulnerabilities
ISO27k1 Full
6.6: Tietojärjestelmien asennus, ylläpito ja päivitys
Tietoturvasuunnitelma
1. Task description

Once a vulnerability is identified, suppliers often have significant pressure to release patches as soon as possible. Therefore, the patch may not adequately address the issue and may have harmful side effects.

In evaluating patches, e.g. the following things should be taken into account:

  • whether the patch can be pre-tested properly?
  • whether it is wise to expect experience from other repairers?
  • whether the patch is available from a trusted source?
  • what are the risks of installing the patch and delaying the installation?
  • whether other actions are needed, such as disabling vulnerability features, increasing monitoring, or reporting about the vulnerability
No items found.