Source Code Management

A form of version control for source code that allows for versioning of software, branching software into different releases, and controlling access to software.

Cloud Controls Matrix (CCM) Data

Array

IS-33 | Information Security | Source Code Access Restriction

Control Specification +-

Access to application, program or object source code shall be restricted to authorized personnel on a need to know basis. Records shall be maintained regarding the individual granted access, reason for access and version of source code exposed.

Architectural Relevance +-

PhysicalNetworkComputeAppData
False False True True True

Corp Gov Relevance +-

Corp Gov Relevance
False

Cloud Service Delivery Model Applicability +-

SaaSPaaSIaaS
True True True

Supplier Relationship +-

Service ProviderTenant / Consumer
True False

Scope Applicability +-

COBIT 4.1HIPAA / HITECH ActISO/IEC 27001-2005

Clause 4.3.3
A.12.4.3
A.15.1.3

NIST SP800-53 R3FedRAMP (Final 2012) Low ImpactFedRAMP (Final 2012) Moderate ImpactPCI DSS v2.0

CM-5
CM-6

NIST SP 800-53 R3 CM-5
NIST SP 800-53 R3 CM-5 (1)
NIST SP 800-53 R3 CM-5 (5)

6.4.1
6.4.2

BITS Shared Assessments SIG v6.0BITS Shared Assessments SIG v5.0GAPP (Aug 2009)

I.2.7.2, I.2.9, I.2.10, I.2.15

1.2.6
6.2.1

Jericho ForumNERC CIP

Commandment #6
Commandment #7
Commandment #9
Commandment #10

Array

Consensus Assessments Initiative Questionnaire (CAIQ) Data

Information Security (IS) | ID #IS-33.1

Are controls in place to prevent unauthorized access to your application, program or object source code, and assure it is restricted to authorized personnel only?

Compliance Mapping +-

COBITHIPAAISO27001SP800_53

Clause 4.3.3
A.12.4.3
A.15.1.3

NIST SP800-53 R3 CM-5
NIST SP800-53 R3 CM-6

FedRAMPPCI_DSSBITSGAPP

NIST SP800-53 R3 CM-5
NIST SP800-53 R3 CM-5 (1)
NIST SP800-53 R3 CM-5 (5)
NIST SP800-53 R3 CM-6
NIST SP800-53 R3 CM-6 (1)
NIST SP800-53 R3 CM-6 (3)

PCI-DSS v2.0 6.4.1
PCI-DSS v2.0 6.4.2

SIG v6.0: I.2.7.2, I.2.9, I.2.10, I.2.15,

GAPP Ref 1.2.6
GAPP Ref 6.2.1

Model Applicability +-

SaaSPaaSIaaS
True True True

Scope Applicability +-

SPCUST
True True

Consensus Assessments Initiative Questionnaire (CAIQ) Data

Information Security (IS) | ID #IS-33.2

Are controls in place to prevent unauthorized access to tenant application, program or object source code, and assure it is restricted to authorized personnel only?

Compliance Mapping +-

COBITHIPAAISO27001SP800_53

Clause 4.3.3
A.12.4.3
A.15.1.3

NIST SP800-53 R3 CM-5
NIST SP800-53 R3 CM-6

FedRAMPPCI_DSSBITSGAPP

NIST SP800-53 R3 CM-5
NIST SP800-53 R3 CM-5 (1)
NIST SP800-53 R3 CM-5 (5)
NIST SP800-53 R3 CM-6
NIST SP800-53 R3 CM-6 (1)
NIST SP800-53 R3 CM-6 (3)

PCI-DSS v2.0 6.4.1
PCI-DSS v2.0 6.4.2

SIG v6.0: I.2.7.2, I.2.9, I.2.10, I.2.15,

GAPP Ref 1.2.6
GAPP Ref 6.2.1

Model Applicability +-

SaaSPaaSIaaS
True True True

Scope Applicability +-

SPCUST
True True