CM-4 - Security Impact Analysis
Control requirements
- CM-4 - 0
- The organization analyzes changes to the information system to determine potential security impacts prior to change implementation.
IBM Cloud for Financial Services profile
The rules related to this control that follow are part of the IBM Cloud for Financial Services v1.2.0 profile in IBM Cloud® Security and Compliance Center.
- Check whether DevSecOps Toolchain scans build artifacts to identify vulnerabilities
- Check whether DevSecOps Toolchain verifies source code branch protection rules to enforce security policies
- Check whether DevSecOps Toolchain validates code against Center for Internet Security (CIS) Docker benchmarks to ensure container runtimes are configured securely
- Check whether DevSecOps Toolchain passes dynamic code scan to identify vulnerabilities in deployed artifacts
- Check whether DevSecOps Toolchain scans source code and their dependencies to identify vulnerabilities
- Check whether DevSecOps Toolchain source code contains no secrets
- Check whether DevSecOps Toolchain passes static code scan to identify vulnerabilities in source code
- Check whether DevSecOps Toolchain deployment has approved change documentation including security impact analysis
NIST supplemental guidance
Organizational personnel with information security responsibilities (e.g., Information System Administrators, Information System Security Officers, Information System Security Managers, and Information System Security Engineers) conduct security impact analyses. Individuals conducting security impact analyses possess the necessary skills/technical expertise to analyze the changes to information systems and the associated security ramifications. Security impact analysis may include, for example, reviewing security plans to understand security control requirements and reviewing system design documentation to understand control implementation and how specific changes might affect the controls. Security impact analyses may also include assessments of risk to better understand the impact of the changes and to determine if additional security controls are required. Security impact analyses are scaled in accordance with the security categories of the information systems.