Section 2: Change ManagementAnchor: #i1356767
This section establishes how TxDOT uses configuration, change, and patch management processes as part of its Business Continuity policy, and describes the minimum standards that must be in place to effectively support continued business functions when normal operations have been compromised. This approach addresses the “Recover” objective of the Texas CyberSecurity Framework and provides a baseline for business functions.Anchor: #i1356820
TxDOT will create an Authority to Operate (ATO) certification process during which the Information Security Office reviews system security configurations. Documentation gathered during this process will become the baseline from which all changes are measured. The baseline for each information system will be reviewed and updated whenever there is a change in configuration. TxDOT must maintain at least N-1 currency for all its software assets.
All changes to the baseline configuration must be evaluated, approved, tested, released, and documented. TxDOT approves changes in three approaches through the Change Approval Board (CAB): regular changes, normal changes, and emergency changes. Changes will not be released into production without the approval of the ISO and the system or information owner. Additionally, changes will be audited against the ATO configuration at planned intervals.
Patch management follows the Change Management processes. TxDOT uses software, firmware, or middleware only from vendors who provide continued support and updates. These vendors provide updates and service packs; TxDOT obtains and tracks information on these updates on a regular basis depending on each vendor's release schedule.Anchor: #i1356844
Individuals who use TxDOT information resources andwho need to request changes to an information system will follow the change request procedures. All information owners will ensure that their systems are updated and patched to ensure information systems are in compliance with this policy.
The Information Security Office must:
- review proposed configurations
- grant Authority to Operate certificates.
Compliance and Standards
See the “Change Management Standards” in the Information Security Standards manual for a list of the minimum standards necessary to comply with this objective of the Business Continuity Policy.