Establish and maintain a configuration management plan.

UCF ID: 01901

Control Type: Process or Activity

Status: Live

Supporting and supported controls

This control directly supports:

Establish and maintain configuration control and status accounting for each system. [UCF Control ID 00863]

There are no supporting controls.

Authority documents complied with:

FFIEC IT Examination Handbook – Operations, July 2004, Exam Tier I Obj 5.1; NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006, § 8-311; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 5.6.5, Exhibit 4 CM-1; The Standard of Good Practice for Information Security, CB3.3.1(c), CB3.3.2(e), CI2.4.1(c), CI2.4.2(e), UE4.1.1(c), UE4.2.2(a); ISO/IEC 15408-3 Common Criteria for Information Technology Security Evaluation Part 3, 2008, § 13.1, § 13.2; ISO/IEC 18045 Common Methodology for Information Technology Security Evaluation Part 3, 2005, § 12.4.1.3.5, § 13.4.1.3.5, § 13.4.1.3.6, § 13.4.1.4, § 13.4.2.3.5, § 13.4.2.3.6; ISO/IEC 20000-2 Information technology - Service Management Part 2, 2005, § 9.1.1; OGC ITIL: Service Support, § 7.3.1; Australian Government ICT Security Manual (ACSI 33), § 3.10.5; Guidelines on Cell Phone and PDA Security, NIST SP 800-124, October 2008, § 4.2.5; Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline, Version 1.2, July 2009, § 4.4.1.D; DoD Instruction 8500.2 Information Assurance (IA) Implementation, DCPR-1; DoD Instruction 8500.2 Information Assurance (IA) Implementation, DCPR-1; DoD Instruction 8500.2 Information Assurance (IA) Implementation, DCPR-1

Banking and Finance Guidance

[Exam Tier I Obj 5.1, FFIEC IT Examination Handbook – Operations, July 2004]

Payment Card Guidance

Centralized management systems that can control and configure distributed wireless networks are recommended. [§ 4.4.1.D, Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline, Version 1.2, July 2009]

US Federal Security Guidance

The configuration management plan must include formal change control procedures, system security documentation procedures, processes for testing and verifying the configuration management plan, and a way to verify that the configuration management plan is working effectively. [§ 8-311, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006]

Have you examined the Configuration management plan to ensure that it exists? [DCPR-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation]

Have you examined the Configuration management plan to ensure that it includes the roles and responsibilities of individuals? [DCPR-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation]

Have you examined the Configuration management plan to ensure that it includes a requirement for the existence of a configuration control board? [DCPR-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation]

US Internal Revenue Guidance

The organization must develop, document, distribute, and continuously update a configuration management policy and procedures for implementing configuration management security controls. [§ 5.6.5, Exhibit 4 CM-1, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

NIST Guidance

The configuration policy should include how to configure the software and hardware for the handheld devices; how to install patches and upgrades; which services and applications can be disabled and/or removed; which applications are required to be installed; how to set up user authentication mechanisms; a list of additional security controls that need to be installed; and how to certify and accredit handheld devices. [§ 4.2.5, Guidelines on Cell Phone and PDA Security, NIST SP 800-124, October 2008]

ISO Guidance

A configuration management plan should be developed. The plan should describe each automated tool and how it is used and ensure only authorized changes are made to configuration items. The configuration management system should automatically ensure only authorized changes are made to the product. [§ 13.1, § 13.2, ISO/IEC 15408-3 Common Criteria for Information Technology Security Evaluation Part 3, 2008]

The configuration management documentation should contain a configuration management plan and an acceptance plan. The configuration management plan should describe each of the automated tools that are used and tell how they are used.
Interviews should be conducted with developers to ensure they use a configuration management plan to keep track of the development process. [§ 12.4.1.3.5, § 13.4.1.3.5, § 13.4.1.3.6, § 13.4.1.4, § 13.4.2.3.5, § 13.4.2.3.6, ISO/IEC 18045 Common Methodology for Information Technology Security Evaluation Part 3, 2005]

The infrastructure and/or services should have up-to-date configuration management plan(s) that may be stand-alone or form part of other planning documents. They should include or describe:
a) scope, objectives, policies, standards roles and responsibilities;
b) the configuration management processes to define the configuration items in the service(s) and infrastructure, control changes to the configurations, recording and reporting the status of configuration items and verifying the completeness and correctness of configuration items;
c) the requirements for accountability, traceability, auditability, e.g. for security, legal, regulatory or business purposes;
d) configuration control (access, protection, version, build, release controls);
e) interface control process for identifying, recording, and managing the configuration items and information at the common boundary of two or more organizations, e.g. system interfaces, releases;
f) planning and establishing the resources to bring assets and configurations under control and maintain the configuration management system, e.g. training;
g) management of suppliers and subcontractors performing configuration management. [§ 9.1.1, ISO/IEC 20000-2 Information technology - Service Management Part 2, 2005]

ITIL Guidance

Configuration Management planning consists of agreeing and defining:
• the strategy, policy, scope and objectives of Configuration Management
• the analysis of the current position of assets and configurations
• the organizational context, both technical and managerial, within which the Configuration Management activities are to be implemented
• the policies for related processes such as Change Management and Release Management
• interfaces, e.g. between projects, suppliers, application and support teams
• the relevant processes, procedures, guidelines, support tools, roles and responsibilities
• for each of the Configuration Management activities
• the location of storage areas and libraries used to hold hardware, software and documentation. [§ 7.3.1, OGC ITIL: Service Support]

General Guidance

Procedures should be developed to ensure all software and hardware implemented on workstations and hand-held devices are configured in a standard fashion over the entire organization. [CB3.3.1(c), CB3.3.2(e), CI2.4.1(c), CI2.4.2(e), UE4.1.1(c), UE4.2.2(a), The Standard of Good Practice for Information Security]

Asia and Pacific Rim Guidance

The network configuration should be under the control of a central network management authority. [§ 3.10.5, Australian Government ICT Security Manual (ACSI 33)]

Metrics

The metrics associated with this control are as follows:

Report on the percentage of key IT assets for which an assurance strategy has been implemented. [UCF Control ID 01657]

Report on the percentage of systems for which approved configuration settings have been implemented as required by policy. [UCF Control ID 02097]

Report on the percentage of systems with configurations that do not deviate from approved standards. [UCF Control ID 02098]