Description:
Organizational personnel with information security responsibilities (e.g., system administrators, system security officers, system security managers, and systems security engineers) conduct security impact analyses. Individuals conducting security impact analyses possess the necessary skills and technical expertise to analyze the changes to systems and the associated security ramifications. Security impact analysis may include reviewing security plans to understand security requirements and reviewing system design documentation to understand the implementation of controls and how specific changes might affect the controls. Security impact analyses may also include risk assessments to better understand the impact of the changes and to determine if additional controls are required. [SP 800-28] provides guidance on configuration change control and security impact analysis.
Priority: Medium
Category: Change Management
Services Associated with AWS:
- AWS Config, AWS Security Hub, AWS IAM
- AWS IAM, AWS Security Hub
- AWS Security Hub, AWS Config, AWS CloudTrail
Objective Evidence:
- Administrative: documented policies, standards & procedures
- Administrative: supporting documentation of role-based security training being performed
- Administrative: supporting documentation of professional competence by individual(s) performing log reviews
- Administrative: supporting documentation to demonstrate change management practices reviewed/approved the request(s)
- Technical: screen shot of Configuration Management Database (CMDB) console
Possible Technology Considerations :
- Change Control Solution
- Configuration Management Database (CMDB)
- IT Asset Management (ITAM)
What needs to be answered :
Are changes that affect system security requirements tested and documented prior to implementation? Are they tested after implementation to ensure there is no negative impact on security or other system operations?
- Analyze Security Impact of Changes
Description: This check ensures that organizations conduct a thorough security impact analysis prior to implementing changes to their systems. Personnel with information security responsibilities review security plans, system design documentation, and perform risk assessments to understand the potential security ramifications of proposed changes. This analysis helps identify any additional security controls that may be required to mitigate risks associated with the changes. - Security-Aware Personnel for Impact Analysis
Description: This check verifies that organizations have designated personnel with information security responsibilities to conduct security impact analyses. These individuals possess the necessary skills and technical expertise to effectively assess the security implications of changes. By having security-aware personnel involved in the analysis, organizations can ensure a comprehensive understanding of the potential security impacts - Comprehensive Security Impact Analysis
Description: This check emphasizes the need for a comprehensive security impact analysis that encompasses multiple factors. The analysis includes reviewing security plans, system design documentation, and conducting risk assessments to identify potential security risks associated with proposed changes. It also evaluates the adequacy of existing controls and determines if additional controls are needed to address the identified risks.
Related AWS Service: AWS Security Hub, AWS Config, AWS CloudTrail - Documentation of Security Impact Analysis
Description: This check ensures that the results of security impact analyses are properly documented. The documentation includes a detailed assessment of the security ramifications of changes, identification of risks, and recommendations for additional controls if needed. Documenting the security impact analysis helps in maintaining a record of security decisions and provides a reference for future audits or reviews.
Related AWS Service: AWS Security Hub, AWS Config, AWS CloudTrail
More Details:
Security impact of changes reviewed and considered by IT support staff prior to implementation.