Report on the percentage of systems for which approved configuration settings have been implemented as required by policy.

UCF ID: 02097

Control Type: Actionable Reports or measurements

Status: Live

Metric guidance

Calculation: The calculation for this metric is # of systems for which approved configuration settings have been implemented as required by policy / # of IT systems.

Calculation source: No authority document source of information exists. The following formula was used: the number of systems that have been configured according to approved policies, standards, and procedures divided by the number of systems listed in the CMDB for each business unit (or the organization as a whole) .

The Common Control IDs associated with this metric are as follows:

Test the system, application, and database for insecure configuration management parameters. [UCF Control ID 01327]

Establish and maintain documentation for controlling the network configuration. [UCF Control ID 00530]

Secure the router configurations against unauthorized changes. [UCF Control ID 00541]

Configure firewalls, routers, and networking equipment to protect restricted data or information in accordance with organizational compliance mandates. [UCF Control ID 01284]

Synchronize and secure all router and firewall configuration files. [UCF Control ID 01291]

Establish and maintain Wireless LAN design and configuration criteria. [UCF Control ID 01646]

Ensure the configuration management procedures are being applied to firewalls, routers, managed switches, and hubs. [UCF Control ID 01281]

Establish and maintain configuration control and status accounting for each system. [UCF Control ID 00863]

Configure the system security parameters to prevent misuse of the system. [UCF Control ID 00881]

Ensure the information system developer has a configuration management plan for all newly acquired IT assets. [UCF Control ID 01446]

System hardening through configuration management [UCF Control ID 00860]

Establish and maintain a configuration management plan. [UCF Control ID 01901]

Establish and maintain a process to maintain the configuration management policy. [UCF Control ID 00867]

Establish and maintain an organizational framework of policies, standards, and procedures. [UCF Control ID 01406]

Supporting and supported controls

This control directly supports:

Establish and maintain a status of Configuration Management management metrics program. [UCF Control ID 02077]

There are no supporting controls.

Authority documents complied with:

CISWG Information Security Program Elements, January 10,2005, ISPE21.1; Performance Measurement Guide for Information Security, NIST 800-55, Revision 1, App A Measure 7

US Federal Security Guidance

The organization must measure and report on the percentage of systems for which approved configuration settings have been implemented as required by policy. [ISPE21.1, CISWG Information Security Program Elements, January 10,2005]

NIST Guidance

The calculation for this metric should be stated as the # of configuration changes in the latest automated baseline configuration that have been approved and implemented / # of configuration changes identified through automated scans. Use the number of configuration changes identified through the use of automated scans as the base number divided by the number of configuration changes that have been approved and implemented in the latest baseline configuration document. [App A Measure 7, Performance Measurement Guide for Information Security, NIST 800-55, Revision 1]