Test the system, application, and database for insecure configuration management parameters.

UCF ID: 01327
Control Type: Testing
Status: Live

Supporting and supported controls

This control directly supports:

There are no supporting controls.

Authority documents complied with:

Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2.1, § 6.2.b; Defense Information Systems Agency UNIX Security Technical Implementation Guide Version 5 Release 1, Version 5, Release 1, § 3.11, § 3.12.1, § 3.12.2; ISO/IEC 20000-1 Information technology - Service Management Part 1, 2005, § 9.1; ISO/IEC 20000-2 Information technology - Service Management Part 2, 2005, § 9.1.5; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2, § 6.2(b); ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000, ¶ 8.1.5(1); Federal Information Security Management Act of 2002, § 3544(b)(2)(D)(iii)

Payment Card Guidance

Are configuration standards (and the configurations based upon them) updated as required to address new vulnerability issues? [§ 6.2.b, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2.1]

Are configuration standards (and the configurations based upon them) updated as required to address new vulnerability issues? [§ 6.2(b), Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2]

US Federal Security Guidance

Each agency must develop, document, and implement an information security program agency wide that includes policies and procedures that ensure compliance with the minimally acceptable system configuration requirements and other applicable requirements. [§ 3544(b)(2)(D)(iii), Federal Information Security Management Act of 2002]

System Configuration Guidance

If a device driver is located outside its assigned directory, it could mean an attempt has been made to compromise the system. The system administrator should check all local filesystems against the baseline on a weekly basis to detect extra device drivers, unauthorized suid/sgid files, and unauthorized modifications to authorized suid/sgid files. [§ 3.11, § 3.12.1, § 3.12.2, Defense Information Systems Agency UNIX Security Technical Implementation Guide Version 5 Release 1, Version 5, Release 1]

ISO Guidance

Configuration control procedures shall ensure that the integrity of systems, services and service components are maintained. [§ 9.1, ISO/IEC 20000-1 Information technology - Service Management Part 1, 2005]

Configuration verification and audit processes, both physical and functional, should be scheduled and a check performed to ensure that adequate processes and resources are in place to:
a) protect the physical configurations and the intellectual capital of the organization;
b) ensure that the organization is in control of its configurations, master copies and licenses;
c) provide confidence that configuration information is accurate, controlled and visible;
d) ensure that a change, a release, a system or an environment conforms to its contracted or specified requirements and that the configuration records are accurate.
Configuration audits should be carried out regularly, before and after major change, after a disaster and at random intervals.
Deficiencies and non-conformities should be recorded, assessed and corrective action initiated, acted upon and fed back to the relevant parties and plan for improving the service. [§ 9.1.5, ISO/IEC 20000-2 Information technology - Service Management Part 2, 2005]

Operational Issues. An organization should implement safeguards which assure that all procedures maintain the secure, correct and reliable functioning of the IT equipment and related system(s) used. This should be achieved by implementing organizational procedures. Operational safeguards are necessary in combination with other, for example, physical and technical, safeguards. Safeguards in the area of operational issues are listed below.
1. Configuration and Change Management
Configuration management is the process of keeping track of changes to IT systems. Its primary security goal is to ensure that changes to IT systems do not reduce the effectiveness of safeguards and the overall security provided. Change management can contribute to the identification of new security implications when changes occur to IT systems. [¶ 8.1.5(1), ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000]

Metrics

The metrics associated with this control are as follows:

    Report on the percentage of systems for which approved configuration settings have been implemented as required by policy. [UCF Control ID 02097]
    Report on the percentage of systems with configurations that do not deviate from approved standards. [UCF Control ID 02098]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.