Impact Analysis—as indicated in the section on understanding, in order to implement a specifically targeted response, it is
necessary to know what the implications of a particular response strategy or action might be. In order to attain that level of
knowledge, the organization must develop a comprehensive and detailed impact analysis. This should be based on a formal
methodology ensuring a comprehensive and unambiguous understanding of all operational implications for the control set, its
requirements, and its associated architecture. Therefore, for each remediation option the organization must routinely
1. Identify the impact of change on the assurance case.
2. Identify the violation, exposure, or vulnerability type—the threat is explicitly classified by type.
3. Identify the scope of the violation, exposure, or vulnerability—the extent or boundary of the threat is fully and explicitly
itemized.
4. Provide a formal statement of the criticality of the violation, exposure, or vulnerability.
5. Document all feasible options for analysis.
6. Perform a comprehensive risk identification—identification of the type and extent of risk for each option.
7. Perform a detailed risk evaluation—assess the likelihood and feasibility of each identified risk for each option.
8. Estimate safety and security impacts if change is implemented—based on likelihood percentages and feasibility for each
option.
9. Estimate the safety and security impacts if change is not implemented—based on the likelihood of occurrence of financial
and operational impacts of each identified option.
10. Assess the impact of change on security and control architecture.
11. Perform control set understanding and design description exercise for all automated security and control features.
12. Estimate and assess the implications of change as they impact the policy and procedure infrastructure.
13. Estimate the impact of change on the business continuity/disaster recovery strategy.
14. Specify feasible recovery time, NRO, and recovery point impact estimates for each option.
15. Estimate the return on investment for each option, including total cost of ownership and marginal loss percentage.
16. Estimate the level of test and evaluation commitment necessary for verification and validation.
17. For each option, prepare a testing program—sample test cases and methods of administration.
18. Estimate the resource requirements, staff capability, and feasibility of administration of tests.
19. Estimate the financial impacts where appropriate for each option.
20. Estimate the feasibility and timelines for implementing each option.
21. Prepare a project plan for each option if detailed level of understanding required.
Once the options have been investigated, a basis for decision making exists