UCF ID: 00867 |
Control Type: Behavior |
Status: Live |
Supporting and supported controls
This control directly supports:
- • Establish a set of key policies to support confidentiality, integrity, availability, and accountability. [UCF Control ID 00812]
This control has the following supporting controls:
- • Establish a methodology to record configuration management items. [UCF Control ID 00861]
• Establish and maintain a current configuration baseline that is based upon the principle of least functionality. [UCF Control ID 00862]
• Ensure the configuration management procedures are being applied to firewalls, routers, managed switches, and hubs. [UCF Control ID 01281]
• Ensure the configuration management policy includes back-up procedures. [UCF Control ID 01314]
Authority documents complied with:
FFIEC IT Examination Handbook – Development and Acquisition, Pg 9, Pg 51 thru Pg 54; FFIEC IT Examination Handbook – Information Security, Exam Tier I Obj 2.4, Exam Tier II Obj C.2; FFIEC IT Examination Handbook – Operations, July 2004, Exam Tier I Obj 2.2; System Security Plan (SSP) Procedure, Version 1.0, App A § 3.6.1; NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006, § 8-311; FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, Exhibit 4 CM-1; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3, App F § CM-1; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, CM-1; CobiT, Version 4.1, DS9.2; The Standard of Good Practice for Information Security, CB3.3.1(c), CB3.3.2(e), CI2.4.1(c), CI2.4.2(e), UE4.1.1(c), UE4.2.2(a); Defense Information Systems Agency UNISYS Security Technical Implementation Guide Version 7 Release 2, 28 August 2006, § 13; The Center for Internet Security Wireless Networking Benchmark, Version 1.0 April 2005, § 2.2 (2.2.010); ISO/IEC 15408-3 Common Criteria for Information Technology Security Evaluation Part 3, 2008, § 13.1; ISO/IEC 20000-1 Information technology - Service Management Part 1, 2005, § 9.1; OGC ITIL: Security Management, § 3.3.1; IT Service Management Standard - Code of Practice, BS ISO/IEC 20000-2:2005, § 8.1.1; Australian Government ICT Security Manual (ACSI 33), § 3.10.5; Guidelines on Cell Phone and PDA Security, NIST SP 800-124, October 2008, Pg ES-2, § 4.2.5; DISA Windows Server 2003 Security Checklist, Version 6 Release 1.11, § 3.12; DISA Windows XP Security Checklist, Version 6 Release 1.11, § 3.12; DISA Windows VISTA Security Checklist, Version 6 Release 1.11, § 3.1 (1.016); ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000, ¶ 8.1.5(1), ¶ 10.3.9; Federal Information Security Management Act of 2002, § 3544(b)(2)(D)(iii)
Banking and Finance Guidance
The organization should establish configuration management standards. [Pg 9, Pg 51 thru Pg 54, FFIEC IT Examination Handbook – Development and Acquisition]
[Exam Tier I Obj 2.4, Exam Tier II Obj C.2, FFIEC IT Examination Handbook – Information Security]
[Exam Tier I Obj 2.2, FFIEC IT Examination Handbook – Operations, July 2004]
Healthcare and Life Science Guidance
[App A § 3.6.1, System Security Plan (SSP) Procedure, Version 1.0]
US Federal Security Guidance
The organization must implement procedures for maintaining a configuration management plan. The configuration management plan must document the configuration of the system and the system connectivity. [§ 8-311, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006]
Configuration Management (CM): Organizations must: (i) establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles; and (ii) establish and enforce security configuration settings for information technology products employed in organizational information systems. [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]
Each agency must develop, document, and implement an information security program agency wide that includes policies and procedures that ensure compliance with the minimally acceptable system configuration requirements and other applicable requirements. [§ 3544(b)(2)(D)(iii), Federal Information Security Management Act of 2002]
US Internal Revenue Guidance
The organization must develop, document, distribute, and continuously update a configuration management policy that identifies roles, responsibilities, and procedures for the implementation of configuration management security controls. [Exhibit 4 CM-1, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]
NIST Guidance
The organization must establish and maintain configuration management policies and procedures to develop, document, disseminate, and periodically review/update a policy that includes purpose, scope, roles, responsibilities, management commitment, coordination among entities, compliance, and implementation of configuration management policy and of associated controls. [App F § CM-1, Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3]
Organizational records and documents should be examined to ensure the configuration management policy and procedures are documented, disseminated, reviewed, and updated and specific responsibilities and actions are defined for the implementation of the configuration management policy and procedures control. Any problems discovered during the implementation of the configuration management policy and procedures control should be documented and used to improve the controls. The configuration management policy and procedures should be examined to ensure they address all areas and controls and meet the organization's mission and applicable laws, regulations, and directives.
Interviews should be conducted with personnel involved in the configuration management process. [CM-1, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]
The organization's configuration control and management program should include handheld devices. The configuration policy should include how to configure the software and hardware for the handheld devices; how to install patches and upgrades; which services and applications can be disabled and/or removed; which applications are required to be installed; how to set up user authentication mechanisms; a list of additional security controls that need to be installed; and how to certify and accredit handheld devices. [Pg ES-2, § 4.2.5, Guidelines on Cell Phone and PDA Security, NIST SP 800-124, October 2008]
System Configuration Guidance
The Information Assurance Officer should ensure configuration policies are enforced to ensure untested software is not loaded onto production systems. [§ 13, Defense Information Systems Agency UNISYS Security Technical Implementation Guide Version 7 Release 2, 28 August 2006]
All sites should have a policy in place to implement the security configurations on the system. Windows has Microsoft Security Configuration tools built into the operating system that can be used to ensure security configurations are enabled. [§ 3.12, DISA Windows Server 2003 Security Checklist, Version 6 Release 1.11]
A process should exist to implement system security configurations. Security configuration tools should be used to implement security compliance on the system. [§ 3.12, DISA Windows XP Security Checklist, Version 6 Release 1.11]
A policy should be in effect to implement security configurations on the system. [§ 3.1 (1.016), DISA Windows VISTA Security Checklist, Version 6 Release 1.11]
Other Configuration Guidance
The organization should establish configuration management procedures, including patch management and configuration control. [§ 2.2 (2.2.010), The Center for Internet Security Wireless Networking Benchmark, Version 1.0 April 2005]
ISO Guidance
A configuration management plan should be developed. The plan should describe each automated tool and how it is used. The configuration management system should automatically ensure only authorized changes are made to the product. [§ 13.1, ISO/IEC 15408-3 Common Criteria for Information Technology Security Evaluation Part 3, 2008]
There shall be a policy on what is defined as a configuration item and its constituent components. [§ 9.1, ISO/IEC 20000-1 Information technology - Service Management Part 1, 2005]
¶ 8.1.5(1) Operational Issues. An organization should implement safeguards which assure that all procedures maintain the secure, correct and reliable functioning of the IT equipment and related system(s) used. This should be achieved by implementing organizational procedures. Operational safeguards are necessary in combination with other, for example, physical and technical, safeguards. Safeguards in the area of operational issues are listed below.
1. Configuration and Change Management
Configuration management is the process of keeping track of changes to IT systems. Its primary security goal is to ensure that changes to IT systems do not reduce the effectiveness of safeguards and the overall security provided. Change management can contribute to the identification of new security implications when changes occur to IT systems.
¶ 10.3.9 Technical failure. An organization should implement safeguards to prevent technical failures, for example in a network, which can destroy the integrity of any information that is stored or processed in that network. Safeguards to protect against this are listed below.
• Operational issues: Configuration and change management, as well as capacity management, should be used to avoid failures of any IT system or network. Documentation and maintenance are used to ensure the trouble-free running of the system or network.
• Network management: Operational procedures, system planning and proper network configuration should be used to minimize the risks of technical failures.
• Power and air conditioning: Suitable power supply and air conditioning related safeguards, e.g. power surge protection, should be used where necessary to avoid any problems resulting from supply failure.
• Back-ups: Back-ups should be used to restore any information that has been damaged. [¶ 8.1.5(1), ¶ 10.3.9, ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000]
ITIL Guidance
[§ 3.3.1, OGC ITIL: Security Management]
General Guidance
The organization should put procedures in place to:
• Identify configuration items and their attributes
• Record new, modified and deleted configuration items
• Identify and maintain the relationships among configuration items in the configuration repository
• Update existing configuration items into the configuration repository
• Prevent the inclusion of unauthorized software
These procedures should provide proper authorization and logging of all actions on the configuration repository and be properly integrated with change management and problem management procedures. [DS9.2, CobiT, Version 4.1]
All workstations and hand-held devices should have a standard software and a standard hardware configuration. [CB3.3.1(c), CB3.3.2(e), CI2.4.1(c), CI2.4.2(e), UE4.1.1(c), UE4.2.2(a), The Standard of Good Practice for Information Security]
UK and Canadian Guidance
[§ 8.1.1, IT Service Management Standard - Code of Practice, BS ISO/IEC 20000-2:2005]
Asia and Pacific Rim Guidance
The network configuration should be under the control of a central network management authority. [§ 3.10.5, Australian Government ICT Security Manual (ACSI 33)]
Metrics
The metrics associated with this control are as follows:
- • Report on the percentage of key IT assets for which an assurance strategy has been implemented. [UCF Control ID 01657]
• Report on the percentage of total controls for which policies, standards, and procedures exist and for which approval has been granted. [UCF Control ID 01679]
• Report on the percentage of systems for which approved configuration settings have been implemented as required by policy. [UCF Control ID 02097]
• Report on the percentage of systems with configurations that do not deviate from approved standards. [UCF Control ID 02098]
Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.