Security Impact Analysis (CM-4) And Risk Acceptance Memo Or Waiver Q2

  • Security Impact Analysis (SIA) 
    • Security Impact Analysis (SIA) is the analysis conducted by an organizational official to determine the extent to which changes to the information system will affect the security state of the system prior to change implementation.
    • Security impact analysis may include, for example, reviewing security plans to understand security control requirements and reviewing system design documentation to understand control implementation and how specific changes might affect the controls. 
    • Security impact analyses may also include assessments of risk to better understand the impact of the changes and to determine if additional security controls are required.
  • Risk Acceptance Memo/Waiver
    • This memo is used to justify a risk acceptance of a known deficiency or deviation from mandatory policies or controls. The system owner/project manager is responsible for writing the justification and the compensating control. It is a requirement that a compensating control be defined in order to obtain full approval for a risk acceptance.
error: Content is protected !!