Leadline Inc.Leadline Inc.
Control Requirements

CM-04: Change Communication and Stakeholder Approval

Communication of changes to stakeholders and approval process before production implementation

Control Description

Each change that might affect the security, availability, confidentiality, processing integrity, and/or privacy (update as applicable) of the in-scope applications and databases is communicated to affected stakeholders (both internal and external users, as applicable) for review and approval prior to implementation into the production environment.

Plain Meaning

Before making any changes that could impact your system's security, availability, or data privacy, you must notify all relevant people (both inside and outside your organization) and get their approval. This ensures that everyone who might be affected by the change has a chance to review it and raise any concerns before it goes live.

Implementation Examples

GitHub Pull Request Workflow

1. Pull Request Template

# .github/pull_request_template.md
## Change Summary
Brief description of the changes being made

## Impact Assessment
- [ ] Security impact
- [ ] Availability impact  
- [ ] Confidentiality impact
- [ ] Processing integrity impact
- [ ] Privacy impact

## Affected Systems
- [ ] Application code
- [ ] Database schema
- [ ] Infrastructure
- [ ] Configuration files
- [ ] External integrations

## Stakeholder Review Required
- [ ] Security team
- [ ] DevOps team
- [ ] Product team
- [ ] Legal/Compliance team
- [ ] External stakeholders (if applicable)

## Testing Completed
- [ ] Unit tests
- [ ] Integration tests
- [ ] Security tests
- [ ] Performance tests
- [ ] User acceptance testing

## Rollback Plan
Description of how to rollback these changes if needed

## Approval Checklist
- [ ] Code review completed
- [ ] Security review completed
- [ ] Performance review completed
- [ ] Legal review completed (if applicable)
- [ ] Stakeholder approval received

2. GitHub Actions for Stakeholder Notification

# .github/workflows/stakeholder-notification.yml
name: Stakeholder Change Notification

on:
  pull_request:
    types: [opened, synchronize, reopened]

jobs:
  notify-stakeholders:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Analyze changes
        id: analyze
        run: |
          # Analyze changed files to determine impact
          CHANGED_FILES=$(git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.event.pull_request.head.sha }})
          
          # Check for security-related changes
          if echo "$CHANGED_FILES" | grep -q "security\|auth\|encryption"; then
            echo "security_impact=true" >> $GITHUB_OUTPUT
          fi
          
          # Check for database changes
          if echo "$CHANGED_FILES" | grep -q "migration\|schema\|database"; then
            echo "database_impact=true" >> $GITHUB_OUTPUT
          fi
          
          # Check for infrastructure changes
          if echo "$CHANGED_FILES" | grep -q "terraform\|kubernetes\|docker"; then
            echo "infrastructure_impact=true" >> $GITHUB_OUTPUT
          fi

      - name: Send Slack notification
        if: steps.analyze.outputs.security_impact == 'true' || steps.analyze.outputs.database_impact == 'true'
        run: |
          curl -X POST ${{ secrets.SLACK_WEBHOOK_URL }} \
            -H 'Content-type: application/json' \
            -d '{
              "text": "🔔 Change requiring stakeholder review detected",
              "attachments": [{
                "color": "#ff6b6b",
                "fields": [
                  {
                    "title": "Repository",
                    "value": "${{ github.repository }}",
                    "short": true
                  },
                  {
                    "title": "PR Number",
                    "value": "#${{ github.event.pull_request.number }}",
                    "short": true
                  },
                  {
                    "title": "Author",
                    "value": "${{ github.event.pull_request.user.login }}",
                    "short": true
                  },
                  {
                    "title": "Impact",
                    "value": "Security: ${{ steps.analyze.outputs.security_impact }}, Database: ${{ steps.analyze.outputs.database_impact }}",
                    "short": true
                  },
                  {
                    "title": "Review Required",
                    "value": "This change requires stakeholder approval before merging",
                    "short": false
                  }
                ],
                "actions": [
                  {
                    "type": "button",
                    "text": "Review PR",
                    "url": "${{ github.event.pull_request.html_url }}"
                  }
                ]
              }]
            }'

      - name: Create JIRA ticket
        if: steps.analyze.outputs.security_impact == 'true'
        run: |
          curl -X POST ${{ secrets.JIRA_WEBHOOK_URL }} \
            -H 'Content-type: application/json' \
            -H 'Authorization: Basic ${{ secrets.JIRA_AUTH }}' \
            -d '{
              "fields": {
                "project": {"key": "SEC"},
                "summary": "Security review required for PR #${{ github.event.pull_request.number }}",
                "description": "Security-related changes detected in ${{ github.repository }}",
                "issuetype": {"name": "Task"},
                "priority": {"name": "High"}
              }
            }'

Official Documentation

Security Guides

Implementation Resources

Tools and Automation

CM-03: Production Change Monitoring and Audit Logging

Automated alerts for production changes and comprehensive audit logging for in-scope applications

CM-09: Weekly Security Change Review Meetings

Weekly meetings to review security-related changes to in-scope applications and databases