CM-4 Security Impact Analysis
Description
Organizational personnel with information security responsibilities (e.g., Information System Administrators, Information System Security Officers, Information System Security Managers, and Information System Security Engineers) conduct security impact analyses.
Individuals conducting security impact analyses possess the necessary skills/technical expertise to analyze the changes to information systems and the associated security ramifications.
Security impact analysis may include, for example, reviewing security plans to understand security control requirements and reviewing system design documentation to understand control implementation and how specific changes might affect the controls. Security impact analyses may also include assessments of risk to better understand the impact of the changes and to determine if additional security controls are required.
Security impact analyses are scaled in accordance with the security categories of the information systems.
Applicability
The intended audience includes, but is not limited to, custodians and/or owners of an information resource.
Implementation
TAMU-CC analyzes changes to the information system to determine potential security impacts prior to change implementation.
- All security-related information resources changes shall be approved by the information owner through a change control process.
- All change requests must include a description of the security impact of the change.
- The Change Management team shall consider the security impact of a change request during the review process.
- Approval shall occur prior to implementation by TAMU-CC or independent contractors.
Revision History
Last Updated: February 21, 2025
Previous Versions:
- June 29, 2023
- May 31, 2022
- March 25, 2021
- September 16, 2019