Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
ECPC-2 Production Code Change Controls
Overview
Application programmer privileges to change production code and data are limited and reviewed every 3 months.
| MAC / CONF | Impact | Subject Area |
|---|---|---|
| MACI MACII | Medium | Enclave Computing Environment |
Details
| Threat |
|---|
| The reliability, availability, and integrity of applications are at risk if there are too many programmers making production code and data changes. An effective configuration management plan should address managing and monitoring the personnel allowed to make code changes with a review accomplished every 3 months. |
| Guidance |
|---|
| 1. The Configuration Control Board (CCB), consisting of, at minimum, a Program Manager, Information Assurance Manager, or the Information Assurance Officer shall identify the files/data sets that contain production code or production data and then authorize and document who is allowed to make changes to the production code or data. 2. The System Administrator shall limit the application programmer accounts to the minimum number of privileges needed to perform their assigned duties. 3. The CCB shall limit and periodically review the total number of application programmers authorized to make production code changes. |
References
- NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook, October 1995
- DISA, Recommended Standard Application Security Requirements Version 2, March 2003
- DISA, Application Security Checklist, Version 2.0, Release 1.5, 28 January 2005