Report on the percentage of systems with configurations that do not deviate from approved standards

Status: Live

The organization will report on the percentage of systems with configurations that do not deviate from approved standards. [UCF ID 02098]

Metric guidance

Calculation: The calculation for this metric is # of systems with configurations that do not deviate from approved standards / # of IT systems.

Calculation source: No authority document source of information exists. The following formula was used: the number of systems whose configuration settings do not differ from the requirements stated in the policies, standards, and procedures divided by the number of systems listed in the CMDB for each business unit (or the organization as a whole) .

The Common Control IDs associated with this metric are as follows:

All mobile computers should be equipped with a firewall that is installed, active, configured by the organization, and not changeable by the end user [UCF Control ID 00550]

Testing for configuration management [UCF Control ID 01327]

Network configuration [UCF Control ID 00530]

Secure router configurations against unauthorized changes [UCF Control ID 00541]

Synchronize and secure all router and firewall configuration files [UCF Control ID 01291]

Ensure and maintain Wireless LAN design and configuration criteria [UCF Control ID 01646]

Ensure configuration management procedures are applied to firewalls, routers, managed switches and hubs [UCF Control ID 01281]

Maintain configuration control and status accounting for each system [UCF Control ID 00863]

Configure system security parameters to prevent misuse [UCF Control ID 00881]

Configuration management plan is provided [UCF Control ID 01446]

System hardening through configuration management [UCF Control ID 00860]

Maintain a configuration management plan [UCF Control ID 01901]

Maintain the configuration management policy [UCF Control ID 00867]

Supporting and supported controls

This control directly supports:

Establish and maintain a status of Configuration Management metrics management program [UCF Control ID 02077]

There are no supporting controls.

Authority documents complied with:

CISWG Information Security Program Elements, January 10,2005, ISPE21.2

US Federal Security Guidance

The organization must measure and report on the percentage of systems with configurations that do not deviate from approved standards. Management should establish specific approved system configurations as policy for each operating system environment. The approved configurations will generally be based on a recognized standard of practice and some degree of local deviation that may be justified by operational necessity. The number of deviations from approved configurations should be kept to a minimum via a waiver process. An important configuration control is to disable unneeded services and to only allow them to be enabled in the course of a managed change process. [ISPE21.2, CISWG Information Security Program Elements, January 10,2005]