Report on the percentage of systems for which approved configuration settings have been implemented as required by policy

Status: Live

The organization will report on the percentage of systems for which approved configuration settings have been implemented as required by policy. [UCF ID 02097]

Metric guidance

Calculation: The calculation for this metric is # of systems for which approved configuration settings have been implemented as required by policy / # of IT systems.

Calculation source: No authority document source of information exists. The following formula was used: the number of systems that have been configured according to approved policies, standards, and procedures divided by the number of systems listed in the CMDB for each business unit (or the organization as a whole) .

The Common Control IDs associated with this metric are as follows:

Testing for configuration management [UCF Control ID 01327]

Network configuration [UCF Control ID 00530]

Secure router configurations against unauthorized changes [UCF Control ID 00541]

Configure firewalls, routers, and networking equipment to follow organizational compliance mandates in order to protect confidential information and systems [UCF Control ID 01284]

Synchronize and secure all router and firewall configuration files [UCF Control ID 01291]

Ensure and maintain Wireless LAN design and configuration criteria [UCF Control ID 01646]

Ensure configuration management procedures are applied to firewalls, routers, managed switches and hubs [UCF Control ID 01281]

Maintain configuration control and status accounting for each system [UCF Control ID 00863]

Configure system security parameters to prevent misuse [UCF Control ID 00881]

Configuration management plan is provided [UCF Control ID 01446]

System hardening through configuration management [UCF Control ID 00860]

Maintain a configuration management plan [UCF Control ID 01901]

Maintain the configuration management policy [UCF Control ID 00867]

Establish an organizational framework of policies, standards, and procedures [UCF Control ID 01406]

Supporting and supported controls

This control directly supports:

Establish and maintain a status of Configuration Management metrics management program [UCF Control ID 02077]

There are no supporting controls.

Authority documents complied with:

CISWG Information Security Program Elements, January 10,2005, ISPE21.1; Performance Measurement Guide for Information Security, NIST 800-55 Rev. 1, Revision 1, App A Measure 7

US Federal Security Guidance

The organization must measure and report on the percentage of systems for which approved configuration settings have been implemented as required by policy. [ISPE21.1, CISWG Information Security Program Elements, January 10,2005]

NIST Guidance

The calculation for this metric should be stated as the # of configuration changes in the latest automated baseline configuration that have been approved and implemented / # of configuration changes identified through automated scans. Use the number of configuration changes identified through the use of automated scans as the base number divided by the number of configuration changes that have been approved and implemented in the latest baseline configuration document. [App A Measure 7, Performance Measurement Guide for Information Security, NIST 800-55 Rev. 1, Revision 1]