UIS.203.5 Security Impact Analysis Guidelines

In support of UIS.203 Configuration Management Policy

Georgetown University has adopted the configuration management principles established in NIST SP 800-171 “Configuration Management” control guidelines as the official policy for this security domain. Each system administrator and system owner must adhere to the guidelines and procedures associated with this policy in order to support and be compliant with the University information security framework. 

When significant changes are planned for, or made to, University technology assets, systems, applications, or networks, a security impact analysis is conducted in order to determine which controls must be assessed for proper implementation and operation. The Security impact analysis may include, but is not limited to, reviewing security plans to understand security control requirements,  analyzing system design documentation to understand control implementation, and how specific changes might impact the University’s security controls.  

Security Impact Analysis Requirements

  1. Identification of the regulatory or legal requirements that address the security, confidentiality, and privacy requirements for university functions or services.  

  2. Identification of restricted or protected information, which is stored in the university resources, and the potential for fraud, misuse, or other illegal activity involving that information. Data classifications are defined within the University Information Classification Policy. 

  3. Identification of essential access control mechanisms used for requests, authorization, and access approval in support of the University’s critical  systems, applications, functions and services.  

  4. Identification of the processes used to monitor and report on applications, tools and technologies the University has implemented to adequately manage the risk as defined by UISO. 

  5. Identification of the security mechanisms that are in place to conceal university data (e.g. encryption, data masking, etc.) 

  6. Analysis and evaluation of changes for the impact on security before they are approved and implemented. 

  7. Security risk analysis requirements and definitions are addressed in the Risk Assessment Policy.