CCI-000333
CCI-000333 Definition
Status | |
Type | CheckType.policy |
Master Assessment Datasheet
Implementation Guidance
Determine if: - changes to the system are analyzed to determine potential security impacts prior to change implementation. - changes to the system are analyzed to determine potential privacy impacts prior to change implementation.
Validation Procedures
Examine: [SELECT FROM: Configuration management policy; procedures addressing security impact analyses for changes to the system; procedures addressing privacy impact analyses for changes to the system; configuration management plan; security impact analysis documentation; privacy impact analysis documentation; privacy impact assessment; privacy risk assessment documentation, system design documentation; analysis tools and associated outputs; change control records; system audit records; system security plan; privacy plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with responsibility for conducting security impact analyses; organizational personnel with responsibility for conducting privacy impact analyses; organizational personnel with information security and privacy responsibilities; system developer; system/network administrators; members of change control board or similar]. Test: [SELECT FROM: Organizational processes for security impact analyses; organizational processes for privacy impact analyses].