Level 2


Description:

Organizational personnel with information security responsibilities (e.g., system administrators, system security officers, system security managers, and systems security engineers) conduct security impact analyses. Individuals conducting security impact analyses possess the necessary skills and technical expertise to analyze the changes to systems and the associated security ramifications. Security impact analysis may include reviewing security plans to understand security requirements and reviewing system design documentation to understand the implementation of controls and how specific changes might affect the controls. Security impact analyses may also include risk assessments to better understand the impact of the changes and to determine if additional controls are required.  [SP 800-28] provides guidance on configuration change control and security impact analysis.  


Priority: Medium


Domain: CONFIGURATION MANAGEMENT (CM) 


Services Associated with AWS: 

  • AWS Config, AWS Security Hub, AWS IAM
  • AWS IAM, AWS Security Hub
  • AWS Security Hub, AWS Config, AWS CloudTrail


Services Associated with Azure:

  • Azure Security Center
  • Azure Sentinel
  • Azure Policy
  • Azure Monitor
  • Azure Advisor
  • Azure DevOps
  • Azure Resource Manager (ARM)
  • Azure Governance
  • Azure Active Directory (Azure AD)
  • Azure Information Protection


Objective Evidence: 

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation of role-based security training being performed
  • Administrative: supporting documentation of professional competence by individual(s) performing log reviews
  • Administrative: supporting documentation to demonstrate change management practices reviewed/approved the request(s)
  • Technical: screen shot of Configuration Management Database (CMDB) console 


Possible Technology Considerations:

  • Change Control Solution
  • Configuration Management Database (CMDB)
  • IT Asset Management (ITAM) 


What needs to be answered:

Are changes that affect system security requirements tested and documented prior to implementation? Are they tested after implementation to ensure there is no negative impact on security or other system operations? 


Checks for AWS

  • Analyze Security Impact of Changes
    Description: This check ensures that organizations conduct a thorough security impact analysis prior to implementing changes to their systems. Personnel with information security responsibilities review security plans, system design documentation, and perform risk assessments to understand the potential security ramifications of proposed changes. This analysis helps identify any additional security controls that may be required to mitigate risks associated with the changes.
  • Security-Aware Personnel for Impact Analysis
    Description: This check verifies that organizations have designated personnel with information security responsibilities to conduct security impact analyses. These individuals possess the necessary skills and technical expertise to effectively assess the security implications of changes. By having security-aware personnel involved in the analysis, organizations can ensure a comprehensive understanding of the potential security impacts
  • Comprehensive Security Impact Analysis
    Description: This check emphasizes the need for a comprehensive security impact analysis that encompasses multiple factors. The analysis includes reviewing security plans, system design documentation, and conducting risk assessments to identify potential security risks associated with proposed changes. It also evaluates the adequacy of existing controls and determines if additional controls are needed to address the identified risks.
    Related AWS Service: AWS Security Hub, AWS Config, AWS CloudTrail
  • Documentation of Security Impact Analysis
    Description: This check ensures that the results of security impact analyses are properly documented. The documentation includes a detailed assessment of the security ramifications of changes, identification of risks, and recommendations for additional controls if needed. Documenting the security impact analysis helps in maintaining a record of security decisions and provides a reference for future audits or reviews.


Checks for Azure

  • Conduct Security Impact Analysis for Changes
    Description: This check ensures that organizations conduct a thorough security impact analysis prior to implementing changes in Azure systems. Personnel with information security responsibilities review security plans, system design documentation, and perform risk assessments to understand the potential security ramifications of proposed changes. This analysis helps identify any additional security controls that may be required to mitigate risks associated with the changes.
  • Designate Security-Aware Personnel for Impact Analysis
    Description: This check verifies that organizations have designated personnel with information security responsibilities to conduct security impact analyses. These individuals possess the necessary skills and technical expertise to effectively assess the security implications of changes. By involving security-aware personnel in the analysis, organizations can ensure a comprehensive understanding of the potential security impacts.
  • Perform Comprehensive Security Impact Analysis
    Description: This check emphasizes the need for a comprehensive security impact analysis that considers multiple factors. The analysis includes reviewing security plans, system design documentation, and conducting risk assessments to identify potential security risks associated with proposed changes. It also evaluates the adequacy of existing controls and determines if additional controls are needed to address the identified risks.
  • Document Security Impact Analysis
    Description: This check ensures that the results of security impact analyses are properly documented. The documentation should include a detailed assessment of the security ramifications of changes, identification of risks, and recommendations for additional controls if needed. Documenting the security impact analysis helps maintain a record of security decisions and provides a reference for future audits or reviews.
  • Test Changes for Security Impact
    Description: This check verifies that changes are tested after implementation to ensure there is no negative impact on security or other system operations. Testing should include validating that the implemented changes do not introduce vulnerabilities or adversely affect the security posture of Azure systems. By conducting post-implementation testing, organizations can proactively identify and address any security issues arising from the changes.


More Details: Security impact of changes reviewed and considered by IT support staff prior to implementation.