
Facilitating Information Security Compliance ■ 145
T
ABLE 5-6 Assessment Questions
(continued)
10.2.1 Is an impact analysis conducted to determine the
effect of proposed changes on existing security
controls, including the required training needed to
implement the control?
10.2.2 Are system components tested, documented, and
approved (operating system, utility, applications)
prior to promotion to production?
10.2.3 Are software change request forms used to docu-
ment requests and related approvals?
10.2.4 Are there detailed system specifications prepared
and reviewed by management?
10.2.5 Is the type of test data to be used specified—live or
made up?
10.2.6 ...