Control requirements

Additional IBM Cloud for Financial Services specifications

The organization shall ensure that changes to customer data are subject to change control per customer requirements. Changes of any type should be communicated to the customer as they arise.

Container Security Requirements: • The build execution context and the build system must be trustable and maintained compliant to the security requirements to guarantee the integrity of images during the build process.

Implementation guidance

See the resources that follow to learn more about how to implement this control.

• Development processes and software integrity

NIST supplemental guidance

Organizations consider the quality and completeness of configuration management activities conducted by developers as direct evidence of applying effective security controls. Controls include protecting the master copies of material used to generate security-relevant portions of the system hardware, software, and firmware from unauthorized modification or destruction. Maintaining the integrity of changes to the system, system component, or system service requires strict configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes. The configuration items that are placed under configuration management include the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the current running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and source code with previous versions; and test fixtures and documentation. Depending on the mission and business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance stage of the system development life cycle.