cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ofaheem1974
Viewer

Procedure For Security Impact Assessment

Hi,
 
I want to write the procedure for performing a Security Impact Assessment. The titles of my Security Impact Assessment are as follows:
 
Introduction
Methodology
Executive Summary
Scope
Purpose
Inventory and Classification
Risk/Threat Summary
Risk Control/ Expectations and Treatment Recommendations
 
Now, the thing I am looking for is that I have to write this procedure so that if somebody sees my SOP, they can quickly understand what they could write in Scope. Sometimes, people write, " The Scope of a Security Impact Assessment (SIA) is crucial in defining its boundaries and limitations. It identifies the areas that interact with or could impact information security. The Scope helps focus the assessment efforts and establishes clear expectations. It may outline limitations or constraints affecting the assessment process. Defining the Scope accurately is crucial as it ensures the assessment aligns with the organisation's security needs and objectives." 
 
However, I need help finding this. I want to do my SOP and tell that person how to write Scope. The same applies to all other titles.
 
I have gone through NIST SP 800-128 GUIDE FOR SECURITY-FOCUSED CONFIGURATION MANAGEMENT OF INFORMATION SYSTEMS but unable to get anything.
 
Any help will be highly appreciated.
 
Thanks and regards,
Osama Faheem
2 Replies
Steve-Wilme
Advocate II

I suspect that you're looking at either writing a infosec risk assessment or carrying out something akin to threat modelling, unless you are looking at carrying out an impact assessment of a proposed change that could affect a known class of assets.

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
JoePete
Advocate I


@ofaheem1974 wrote:
Now, the thing I am looking for is that I have to write this procedure so that if somebody sees my SOP, they can quickly understand what they could write in Scope.

This may be a hard topic to speak about generically, but something that might help trigger your thinking is that the main purpose of an impact analysis/assessment is to determine how a proposed change impacts the security posture of a system. For example does a new corporate logo impact the security of the company's web site? In this regard, everything is anchored to a change request, and so that request, if thorough enough, should help define the scope. In contrast, you're not bringing into play things unrelated to the change.

 

It's a bit like writing a testing procedure. If you have a product that has a new firmware update, your scope of testing will focus on that firmware. You're not (probably) putting it through physical tests (dropping etc.).

 

That said, an SIA can cause you to overlook some things. A new company logo may seem to be nothing, but now in the context of the LogoFail vulnerability, it could be a big deal. But you have to start somewhere. Your focus, your scope is only on what is changing.