Leadline Inc.CM-16: Monthly Production Change Review
Monthly review of production environment changes by information security team to verify authorization and separation of duties
Control Description
On a monthly basis, all changes to the production environment related to the in-scope applications and related databases are reviewed by a member of the information security team to verify that each change was authorized and that no changes were developed and promoted by the same individual.
Plain Meaning
Every month, someone from the security team must review all the changes that were made to production systems to make sure each change was properly approved and that the same person didn't both create the change and deploy it to production. This separation of duties prevents unauthorized changes and ensures proper oversight of production modifications.
CM-15: Data De-identification for Non-Production Environments
De-identification of confidential data before use in non-production environments
CM-17: Vulnerability Detection Before Production Release
Vulnerability scanning or peer review of source code before production deployment with critical issue remediation