Release Management

The release management architecture is the set of conceptual patterns that support the movement of pre-production technical resources into production. Pre-production includes all the activities that are necessary to prove that a particular resource is appropriate for the technical, business, and operational environment and does not exceed a risk profile for a particular task. Significant release management patterns include those for release scheduling, release acceptance, and audit. Release management plays a vital role both as a process and as a set of technologies and it provides a vital control point for request, change, and configuration management processes and architectures.

Cloud Controls Matrix (CCM) Data

Array

RM-03 | Release Management | Quality Testing

Control Specification +-

A program for the systematic monitoring and evaluation to ensure that standards of quality are being met shall be established for all software developed by the organization. Quality evaluation and acceptance criteria for information systems, upgrades, and new versions shall be established, documented and tests of the system(s) shall be carried out both during development and prior to acceptance to maintain security. Management shall have a clear oversight capacity in the quality testing process with the final product being certified as "fit for purpose" (the product should be suitable for the intended purpose) and "right first time" (mistakes should be eliminated) prior to release.

Architectural Relevance +-

PhysicalNetworkComputeAppData
False True True True True

Corp Gov Relevance +-

Corp Gov Relevance
True

Cloud Service Delivery Model Applicability +-

SaaSPaaSIaaS
True True True

Supplier Relationship +-

Service ProviderTenant / Consumer
True False

Scope Applicability +-

COBIT 4.1HIPAA / HITECH ActISO/IEC 27001-2005

PO 8.1

A.6.1.3
A.10.1.1
A.10.1.4
A.10.3.2
A.12.1.1
A.12.2.1
A.12.2.2
A.12.2.3
A.12.2.4
A.12.4.1
A.12.4.2
A.12.4.3
A.12.5.1
A.12.5.2
A.12.5.3
A.12.6.1
A.13.1.2
A.15.2.1
A.15.2.2

NIST SP800-53 R3FedRAMP (Final 2012) Low ImpactFedRAMP (Final 2012) Moderate ImpactPCI DSS v2.0

CM-1
CM-2
SA-3
SA-4
SA-5
SA-8
SA-10
SA-11
SA-13

NIST SP 800-53 R3 CM-1
NIST SP 800-53 R3 CM-2
NIST SP 800-53 R3 SA-3
NIST SP 800-53 R3 SA-4
NIST SP 800-53 R3 SA-5

NIST SP 800-53 R3 CM-1
NIST SP 800-53 R3 CM-2
NIST SP 800-53 R3 CM-2 (1)
NIST SP 800-53 R3 CM-2 (3)
NIST SP 800-53 R3 CM-2 (5)
NIST SP 800-53 R3 SA-3
NIST SP 800-53 R3 SA-4
NIST SP 800-53 R3 SA-4 (1)
NIST SP 800-53 R3 SA-4 (4)
NIST SP 800-53 R3 SA-4 (7)
NIST SP 800-53 R3 SA-5
NIST SP 800-53 R3 SA-5 (1)
NIST SP 800-53 R3 SA-5 (3)
NIST SP 800-53 R3 SA-8
NIST SP 800-53 R3 SA-10
NIST SP 800-53 R3 SA-11
NIST SP 800-53 R3 SA-11 (1)

1.1.1
6.1
6.4

BITS Shared Assessments SIG v6.0BITS Shared Assessments SIG v5.0GAPP (Aug 2009)

C.1.7, G.1, G.6, I.1, I.4.5, I.2.18, I.22.1, I.22.3, I.22.6, I.2.23, I.2.22.2, I.2.22.4, I.2.22.7. I.2.22.8, I.2.22.9, I.2.22.10, I.2.22.11, I.2.22.12, I.2.22.13, I.2.22.14,I.2.20, I.2.17, I.2.7.1, I.3, J.2.10, L.9

9.1.0
9.1.1
9.2.1
9.2.2

Jericho ForumNERC CIP

Commandment #1
Commandment #2
Commandment #3

Array

Release Management (RM) | ID #RM-03.1

Do you provide your tenants with documentation which describes your quality assurance process?

Compliance Mapping +-

COBITHIPAAISO27001SP800_53

COBIT 4.1 PO 8.1

A.6.1.3
A.10.1.1
A.10.1.4
A.10.3.2
A.12.1.1
A.12.2.1
A.12.2.2
A.12.2.3
A.12.2.4
A.12.4.1
A.12.4.2
A.12.4.3
A.12.5.1
A.12.5.2
A.12.5.3
A.12.6.1
A.13.1.2
A.15.2.1
A.15.2.2

NIST SP800-53 R3 CM-1
NIST SP800-53 R3 CM-2
NIST SP800-53 R3 SA-3
NIST SP800-53 R3 SA-4
NIST SP800-53 R3 SA-5
NIST SP800-53 R3 SA-8
NIST SP800-53 R3 SA-10
NIST SP800-53 R3 SA-11 NIST SP800-53 R3 SA-13

FedRAMPPCI_DSSBITSGAPP

PCI DSS v2.0 1.1.1
PCI DSS v2.0 6.1
PCI DSS v2.0 6.4

C.1.7, G.1, G.6, I.1, I.4.5, I.2.18, , I.22.1, I.22.3, I.22.6, I.2.23, I.2.22.2, I.2.22.4, I.2.22.7. I.2.22.8, I.2.22.9, I.2.22.10, I.2.22.11, I.2.22.12, I.2.22.13, I.2.22.14,I.2.20, I.2.17, I.2.7.1, I.3, J.2.10, L.9

GAPP Ref 9.1.0
GAPP Ref 9.1.1
GAPP Ref 9.2.1
GAPP Ref 9.2.2

Model Applicability +-

SaaSPaaSIaaS
True True True

Scope Applicability +-

SPCUST
True True