Report on the percentage of systems with configurations that do not deviate from approved standards.

UCF ID: 02098

Control Type: Actionable Reports or measurements

Status: Live

Metric guidance

Calculation: The calculation for this metric is # of systems with configurations that do not deviate from approved standards / # of IT systems.

Calculation source: No authority document source of information exists. The following formula was used: the number of systems whose configuration settings do not differ from the requirements stated in the policies, standards, and procedures divided by the number of systems listed in the CMDB for each business unit (or the organization as a whole) .

The Common Control IDs associated with this metric are as follows:

Install firewalls on all mobile computers, correctly configure all firewalls, and prevent the firewalls from being disabled or changed by end users. [UCF Control ID 00550]

Test the system, application, and database for insecure configuration management parameters. [UCF Control ID 01327]

Establish and maintain documentation for controlling the network configuration. [UCF Control ID 00530]

Secure the router configurations against unauthorized changes. [UCF Control ID 00541]

Synchronize and secure all router and firewall configuration files. [UCF Control ID 01291]

Establish and maintain Wireless LAN design and configuration criteria. [UCF Control ID 01646]

Ensure the configuration management procedures are being applied to firewalls, routers, managed switches, and hubs. [UCF Control ID 01281]

Establish and maintain configuration control and status accounting for each system. [UCF Control ID 00863]

Configure the system security parameters to prevent misuse of the system. [UCF Control ID 00881]

Ensure the information system developer has a configuration management plan for all newly acquired IT assets. [UCF Control ID 01446]

System hardening through configuration management [UCF Control ID 00860]

Establish and maintain a configuration management plan. [UCF Control ID 01901]

Establish and maintain a process to maintain the configuration management policy. [UCF Control ID 00867]

Supporting and supported controls

This control directly supports:

Establish and maintain a status of Configuration Management management metrics program. [UCF Control ID 02077]

There are no supporting controls.

Authority documents complied with:

CISWG Information Security Program Elements, January 10,2005, ISPE21.2

US Federal Security Guidance

The organization must measure and report on the percentage of systems with configurations that do not deviate from approved standards. Management should establish specific approved system configurations as policy for each operating system environment. The approved configurations will generally be based on a recognized standard of practice and some degree of local deviation that may be justified by operational necessity. The number of deviations from approved configurations should be kept to a minimum via a waiver process. An important configuration control is to disable unneeded services and to only allow them to be enabled in the course of a managed change process. [ISPE21.2, CISWG Information Security Program Elements, January 10,2005]