CM-07 Change Management

Developer Access to Production

Standing developer prod access is minimised and controlled.

Domain: Change Management
Control type: Preventive/Detective
Automated / manual: Hybrid
Frequency: Per event
Framework reference: MAS TRM – Change/Access

What good looks like

Developer prod access is restricted; break-glass is time-bound, approved, logged, reviewed.

Risk if it fails

Unauthorised, untracked production changes.

How Tess tests it

3 tests — each concludes only on cited evidence.

Prod-access model & break-glass defined

Design

Procedure: Inspect the model/procedure.
Expected: Restricted access; break-glass defined.
Sample: 1 (design inspection)
Evidence: Access listing, break-glass logs and reviews.

Standing developer prod access minimal

Operating

Procedure: Inspect prod access.
Expected: None or justified.
Sample: Judgmental, by population (e.g. 10–25)
Evidence: Access listing, break-glass logs and reviews.

Break-glass approved, time-bound, logged, reviewed

Operating

Procedure: Sample break-glass events.
Expected: Controlled and reviewed.
Sample: Judgmental, by population (e.g. 10–25)
Evidence: Access listing, break-glass logs and reviews.

Evidence Tess looks for

Access listing, break-glass logs and reviews.

More in Change Management

CM-01 Change Management Policy CM-02 Change Request & Documentation CM-03 Change Authorisation CM-04 Testing / UAT Before Production

Want Tess to test CM-07 against your evidence?