Security Impact Analysis Worksheet
|
Date | |
|
Request Number |
CMR- |
|
System |
The purpose of this checklist is to develop a set of questions for conducting a Security Impact Analysis (SIA) as required by IT0125-M – Configuration Management Plan. This checklist is intended for use as a guide when analyzing Change Requests for potential security risks.
|
Element |
Description |
|
Detailed description of system and change(s), including ALL additions, deletions, and modifications. | |
|
Is the change initiator and/or change implementer aware of any potential security-related issues or challenges associated with the change(s)? If so, describe. | |
|
Known baseline changes (to security configuration baselines) | |
|
Systems and subsystems impacted by change(s) | |
|
Current security categorization of impacted system |
The following section is used to identify the controls that will be impacted through the implementation of the requested change.
|
Control |
Impact |
Yes |
No |
|
AC | Will change(s) to system effect how the system limits: (i) information system access to authorized users, processes acting on behalf of authorized users or devices (including other information systems); and (ii) the types of transactions and functions that authorized users are permitted to exercise. |
☐ |
☐ |
|
Description | |||
|
AT | Will change(s) affect required system training to ensure that personnel are adequately trained to carry out their assigned information security-related duties and responsibilities? |
☐ |
☐ |
|
Description | |||
|
AU | Will change(s) affect how system audit requirements to (i) create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity; and (ii) ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions. |
☐ |
☐ |
|
Description | |||
|
CM | Will change(s) to the system impact the (i) baseline configuration and inventory of organizational information systems; (ii) establishment and enforcement of security configuration settings; and (iii) ability to monitor and control changes to the baseline configurations and to the constituent components of the systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycle. |
☐ |
☐ |
|
Description | |||
|
CP | Will change (s) to the system impact the (i) contingency plans for emergency response, backup operations, and disaster recovery for organizational information systems (ii) availability of critical information resources and continuity of operations in emergency situations. |
☐ |
☐ |
|
Description | |||
|
IA | Will change(s) to the system impact how it (i) identifies users, processes acting on behalf of users, or devices; and (ii) authenticates (or verifies) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. |
☐ |
☐ |
|
Description | |||
Impact to Controls continued
|
Control |
Impact |
Yes |
No |
|
IR | Will change(s) to the system impact the (i) operational incident handling capability for information system, including, detection, analysis, containment, recovery, and user response activities, (ii) the ability to effectively track, document and report incidents to CMS or other external entities. |
☐ |
☐ |
|
Description | |||
|
MP | Will change(s) to the system impact how (i) information contained in the systems in printed form or on digital media is protected; (ii) access to information in printed form or on digital media removed from the systems is limited to authorized users; and (iii) how digital media is sanitized or destroyed before disposal or release for reuse. |
☐ |
☐ |
|
Description | |||
|
PE | Will change(s) to the system/system environment change how (i) physical access to information systems, equipment, and the respective operating environments is limited to authorized individuals; (ii) the physical plant and support infrastructure for information systems is protected; (iii) supporting utilities for information systems is provided; (iv) and (v) appropriate environmental controls in facilities are provided. |
☐ |
☐ |
|
Description | |||
|
SC | Will change(s) to the system effect how (i) communications (i.e., information transmitted or received by organizational information systems) are monitored, controlled, and protected at the external boundaries and key internal boundaries of the information systems; and (ii) architectural designs, software development techniques, and systems engineering principles that promote effective information security are implemented. |
☐ |
☐ |
|
Description | |||
|
SI | Will change(s) to the system effect how (i) system flaws are identified, reported, and corrected in a timely manner; (ii) malicious code protection is employed; (iii) system events are monitored and detected; (iv) the correct operation of security functions is verified; and (v) information is checked for accuracy, completeness, validity, and authenticity |
☐ |
☐ |
|
Description | |||
The following questions are used in order to identify potential security risks prior to hardware and software acquisitions, architecture modifications, code modifications, and/or new code development.
|
Security Impact Questions |
Y |
N |
NA |
Comments/ Explanations |
|
Additional Software: Will additional software be used? If so, what application and version? |
☐ |
☐ |
☐ | |
|
IP Addresses: Will additional IP addresses be introduced? If so, what are those addresses? |
☐ |
☐ |
☐ | |
|
Network Ports: Will new ports, protocols, etc. be opened/created on the system? If so, explain. |
☐ |
☐ |
☐ | |
|
Interconnections: Are any new interconnections (internal or external) being introduced? If so, explain. |
☐ |
☐ |
☐ | |
|
Authentication Methods: Are authentication methods being added or modified? Are credentials encrypted both in transit and at rest? |
☐ |
☐ |
☐ | |
|
☐ |
☐ |
☐ | ||
|
Sensitive Data: Is there sensitive/PII data in PPRD? If the data is sensitive, is it the same as the data in PROD? Is the sensitive data encrypted in transit and at rest? Are any new reports, emails, etc. being created that include PII? Do new reports, emails, etc. include provisions and markings to alert the recipient/reader that the information may be sensitive? |
☐ |
☐ |
☐ | |
|
☐ |
☐ |
☐ | ||
|
☐ |
☐ |
☐ | ||
|
☐ |
☐ |
☐ | ||
|
☐ |
☐ |
☐ | ||
|
Categorization: Will a new information type be processed, stored, or transmitted on the system? If so, explain. Will the new information type change the categorization of the system? If so, what is the new categorization? |
☐ |
☐ |
☐ | |
|
☐ |
☐ |
☐ | ||
|
Least Functionality: Will additional functions be performed by the system as a result of the change? If so, explain. |
☐ |
☐ |
☐ | |
|
Separation of Duty: To address least privilege access, will the users have access to only those functions and data required to perform their job responsibilities? Is there any combination of duties / access to be granted that violates segregation of duties? Will access be removed as soon as it is no longer needed? |
☐ |
☐ |
☐ | |
|
☐ |
☐ |
☐ | ||
|
☐ |
☐ |
☐ | ||
|
Is any data stored on removable media? |
☐ |
☐ |
☐ | |
|
Has appropriate documentation been updated? |
☐ |
☐ |
☐ |
Results and Recommendations:
|
Summary of Security Impact |
|
Primary Proposed Solution |
|
Alternate Proposed Solution |
|
Recommendation(s) |
Approval |
|
Downloadable PDF
