Report on the percentage of systems with configurations that do not deviate from approved standards

Status: Live

The organization will report on the percentage of systems with configurations that do not deviate from approved standards. [UCF ID 02098]

Metric guidance

Calculation: The calculation for this metric is # of systems with configurations that do not deviate from approved standards / # of IT systems.

Calculation source: No authority document source of information exists. The following formula was used: the number of systems whose configuration settings do not differ from the requirements stated in the policies, standards, and procedures divided by the number of systems listed in the CMDB for each business unit (or the organization as a whole) .

The Common Control IDs associated with this metric are as follows:

Supporting and supported controls

This control directly supports:

    Establish and maintain a status of Configuration Management metrics management program [UCF Control ID 02077]

There are no supporting controls.

Authority documents complied with:

CISWG Information Security Program Elements, January 10,2005, ISPE21.2

US Federal Security Guidance

The organization must measure and report on the percentage of systems with configurations that do not deviate from approved standards. Management should establish specific approved system configurations as policy for each operating system environment. The approved configurations will generally be based on a recognized standard of practice and some degree of local deviation that may be justified by operational necessity. The number of deviations from approved configurations should be kept to a minimum via a waiver process. An important configuration control is to disable unneeded services and to only allow them to be enabled in the course of a managed change process. [ISPE21.2, CISWG Information Security Program Elements, January 10,2005]


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.