| Regarding access restrictions for changes made to organization defined information system components and system level information, any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system.
Accordingly, only qualified and authorized individuals are allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
A two-person rule requires two separate individuals to acknowledge and approve those changes. A two-person rule for changes to critical application components helps to reduce risks pertaining to availability and integrity.
The IA posture of the AS does not warrant application of the two-person rule.
|
