3.4.4 has a weight of -1 points
(Configuration Management Family) 4/9
Analyze the security impact of changes prior to implementation.
Video:
Example of Sysytem Security Plan (SSP):
System Security Plan (SSP) – Control 3.4.4: Analyzing Security Impact of Changes Prior to Implementation
Purpose: To ensure that before any changes are implemented in the system, their potential security implications are fully analyzed, maintaining the system’s integrity and security.
Scope: This plan governs all proposed alterations to the company’s IT infrastructure, encompassing software, hardware, and network configurations.
1. Change Initiation:
- Any system changes with potential security implications must be recorded in the IT ticketing system, providing a clear description of the change, its purpose, possible effects, and related details.
2. Designated Personnel & Expertise:
- Selected personnel such as system administrators, system security officers, system security managers, and system security engineers are tasked with conducting security impact analyses.
- These individuals must possess the necessary technical expertise and training to comprehend the security ramifications of system changes comprehensively.
3. Review of Current Security Stance & System Design:
- The current security requirements and controls are revisited by reviewing the security plans.
- System design documentation is scrutinized to understand the existing control implementations and assess how proposed changes might affect them.
4. Risk Management & Security Impact Analysis:
- A rigorous risk assessment is conducted to determine the potential impact of the proposed changes, ascertaining if supplementary controls are essential.
- Adherence to SP 800-128 guidance is maintained for the configuration change control and security impact analysis.
- Documentation is created for the analysis results, capturing identified risks, control modifications, and any required additional controls.
5. Communication & Stakeholder Approval:
- Security impact analysis results are disseminated to pertinent stakeholders, such as system owners, project managers, and security teams.
- Before moving forward, necessary approvals are obtained from these stakeholders, factoring in any additional controls or risk mitigation measures identified.
6. Change Implementation & Post-Monitoring:
- After receiving approvals, the changes are implemented, ensuring that all necessary security controls are aptly set up and configured.
- A continuous monitoring regimen is established to verify that the changes are producing the intended security effects and are functioning optimally.
7. Continuous Improvement & Periodic Review:
- The security impact analysis process is subjected to periodic evaluations, incorporating lessons learned to enhance its effectiveness and ensure the company remains abreast of evolving security requirements.
Example of Plan of Action and Milestones ( POA & M):
Plan of Action and Milestones (POA&M) – Control 3.4.4
1. Issue/Weakness: Incomplete documentation for some system changes.
Actions:
- Review all recent changes to identify those lacking documentation.
- Ensure the IT ticketing system captures essential data for each change.
Responsible Party: System Security Manager
Estimated Completion Date: MM/DD/YYYY
Status: In Progress
2. Issue/Weakness: Inconsistent security impact analysis across teams.
Actions:
- Develop a standardized security impact analysis template.
- Conduct training sessions for relevant personnel on using the template and performing thorough analyses.
Responsible Party: System Security Engineers & Training Department
Estimated Completion Date: MM/DD/YYYY
Status: Not Started
3. Issue/Weakness: Delayed communication to stakeholders about the results of the security impact analysis.
Actions:
- Create a communication protocol ensuring timely dissemination of analysis results.
- Implement automatic notifications via the IT ticketing system to stakeholders.
Responsible Party: System Security Officers & IT Department
Estimated Completion Date: MM/DD/YYYY
Status: In Progress
4. Issue/Weakness: Lack of adherence to SP 800-128 guidance in some instances.
Actions:
- Organize workshops to educate teams on SP 800-128 guidelines.
- Perform periodic audits to ensure compliance with the guidance.
Responsible Party: System Security Managers & Internal Audit Team
Estimated Completion Date: MM/DD/YYYY
Status: Not Started
5. Issue/Weakness: Periodic reviews of the security impact analysis process are irregular.
Actions:
- Schedule fixed intervals (e.g., quarterly) for reviews.
- Assign a dedicated team to gather feedback and make necessary adjustments after each review.
Responsible Party: System Security Administrator & Review Team
Estimated Completion Date: MM/DD/YYYY
Status: In Progress
RELEVANT INFORMATION:
Organizational personnel with information security responsibilities (e.g., system administrators, system security officers, system security managers, and systems security engineers) conduct security impact analyses. Individuals conducting security impact analyses possess the necessary skills and technical expertise to analyze the changes to systems and the associated security ramifications. Security impact analysis may include reviewing security plans to understand security requirements and reviewing system design documentation to understand the implementation of controls and how specific changes might affect the controls. Security impact analyses may also include risk assessments to better understand the impact of the changes and to determine if additional controls are required. [SP 800-128] provides guidance on configuration change control and security impact analysis.
Resources to consider:
Security Policy Document:
This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.
Asset Inventory and Access Control Sheet:
Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.
User Account Management Log:
Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.
Password and Multi-Factor Authentication Policy:
Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.
Process and Script Accountability Log:
Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.
Device Access Control and VPN Policy:
Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.
Access Control Review and Monitoring Schedule:
Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.
User Training and Awareness Materials:
Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.